Commits on Jun 3, 2021

1. Drop Origin & Accept from Access-Control-Allow-Headers value …

   This change drops the Origin and Accept header names from the
   recommended value for the CORS Access-Control-Allow-Headers header. Per
   the CORS protocol, it’s not necessary or useful to include them.
   
   Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin
   is a “forbidden header name” set by the browser and that frontend
   JavaScript code is never allowed to set.
   
   So the value of Access-Control-Allow-Headers isn’t relevant to Origin or
   in general to other headers set by the browser itself — the browser
   never ever consults the Access-Control-Allow-Headers value to confirm
   that it’s OK for the request to include an Origin header.
   
   And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
   Accept is a “CORS-safelisted request-header”, which means that browsers
   allow requests to contain the Accept header regardless of whether the
   Access-Control-Allow-Headers value contains "Accept".
   
   So it’s unnecessary for the Access-Control-Allow-Headers to explicitly
   include Accept. Browsers will not perform a CORS preflight for requests
   containing an Accept request header.
   
   Related: Related: matrix-org/synapse#10114
   
   Signed-off-by: Michael[tm] Smith <mike@w3.org>

   

   sideshowbarker committed Jun 3, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 2481074
   • Browse repository at this point

   Copy the full SHA

   2481074 View commit details

   Browse the repository at this point in the history