On Sat, 2011-12-17 at 16:10 +0100, Anne van Kesteren wrote: > On Fri, 29 Jul 2011 14:25:07 +0200, Vladimir Dzhuvinov > <[email protected]> wrote: > > Regarding "6. Resource processing model": [item 3] "A list of headers > > consisting of zero or more header field names that are supported by > > the resource.": > > > > Is this list supposed to be > > > > 1) of the non-simple headers only - as per > > http://dev.w3.org/2006/waf/access-control/#simple-header or > > > > 2) of all supported headers that the author may choose to set, > > including those that qualify as simple? > > > > Because right now the Java CORS filter expects to receive only > > non-simple headers in "Access-Control-Request-Headers", and if for > > some reason the browser has decided to include a simple header, e.g. > > "Accept", in the preflight request it won't be allowed to proceed. > > My apologies for forgetting to reply to this message. Fortunately it was > still somewhere in my inbox! It seems your Java CORS filter has a bug as > simple headers can be included there (for consistency).
This and a few other issues with the CORS Filter were sorted out last year thanks to user feedback and patches. Happy new year, Anne! -- Vladimir Dzhuvinov :: [email protected]
