You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses OPTIONS as method and includes these headers:
Access-Control-Request-Method
Indicates which method a future CORS request to the same resource might use.
Access-Control-Request-Headers
Indicates which headers a future CORS request to the same resource might use.
(my emphasis)
This wording suggests that CORS-preflight requests systematically include the two headers in question. However, in reality, CORS-preflight requests systematically contain an Access-Control-Request-Method header and only optionally contain an Access-Control-Request-Headers header.
I suggest a reformulation, perhaps something like the following:
A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses OPTIONS as method and systematically includes the following header:
Access-Control-Request-Method
Indicates which method a future CORS request to the same resource might use.
A CORS-preflight request may also include the following header:
Access-Control-Request-Headers
Indicates which headers a future CORS request to the same resource might use.
The text was updated successfully, but these errors were encountered:
Clarify that, although CORS-preflight requests systematically include an Access-Control-Request-Method header, they do not systematically include an Access-Control-Request-Headers header.
Fixes#1717.
What is the issue with the Fetch Standard?
Section 3.2.2 contains the following passage:
(my emphasis)
This wording suggests that CORS-preflight requests systematically include the two headers in question. However, in reality, CORS-preflight requests systematically contain an
Access-Control-Request-Method
header and only optionally contain anAccess-Control-Request-Headers
header.This ambiguity may lead developers of CORS middleware to misclassify CORS-preflight requests; here is one example.
I suggest a reformulation, perhaps something like the following:
The text was updated successfully, but these errors were encountered: