On 2011-06-20 21:28, Jonas Sicking wrote:
On Mon, Jun 20, 2011 at 7:13 AM, Per-Erik Brodin
<[email protected]> wrote:
On 2011-06-20 12:53, Jonas Sicking wrote:
Headers that the implementation adds doesn't need to be added to this
list. For example the "Host" header is set by the browser in almost
all situations, but it does not need to be added to the list of
"simple headers". Indeed, adding in there would an out right bad idea.
So I'm not convinced that the Last-Event-ID header needs to be in the
list.
Only "custom request headers" are matched against the list of "simple
headers" and "Host" is not a custom header set by the EventSource
implementation, hence there is no need to add it to the list.
In XHR Level 2 the custom request headers are the "author request headers".
An option would be to always match the list of simple headers against author
request headers only.
It seems like you are saying exactly what I was saying? Am I missing something?
What I am saying is that currently CORS defines "custom request headers"
and that can be interpreted as all headers that are set by the API
implementations (such as "Last-Event-ID" set by EventSource but not
including the headers normally set by the HTTP loader, such as "Host"),
regardless if they are author supplied or not. Since this has the
downside that all new specifications that want to use CORS will have to
rely on the CORS spec being updated if any new custom headers are going
to be used, I agree with your proposal to match only author supplied
headers against the list of simple headers.
//Per-Erik
