Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wording suggests that CORS-preflight requests systematically include an Access-Control-Request-Headers header #1717

Closed
jub0bs opened this issue Oct 14, 2023 · 4 comments · Fixed by #1719
Closed

Wording suggests that CORS-preflight requests systematically include an Access-Control-Request-Headers header #1717

jub0bs opened this issue Oct 14, 2023 · 4 comments · Fixed by #1719
Labels
clarification Standard could be clearer topic: cors

Comments

@jub0bs
Copy link
Contributor

jub0bs commented Oct 14, 2023
edited
Loading

What is the issue with the Fetch Standard?

Section 3.2.2 contains the following passage:

A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses OPTIONS as method and includes these headers:

  • Access-Control-Request-Method
    Indicates which method a future CORS request to the same resource might use.

  • Access-Control-Request-Headers
    Indicates which headers a future CORS request to the same resource might use.

(my emphasis)

This wording suggests that CORS-preflight requests systematically include the two headers in question. However, in reality, CORS-preflight requests systematically contain an Access-Control-Request-Method header and only optionally contain an Access-Control-Request-Headers header.

This ambiguity may lead developers of CORS middleware to misclassify CORS-preflight requests; here is one example.

I suggest a reformulation, perhaps something like the following:

A CORS-preflight request is a CORS request that checks to see if the CORS protocol is understood. It uses OPTIONS as method and systematically includes the following header:

  • Access-Control-Request-Method
    Indicates which method a future CORS request to the same resource might use.

A CORS-preflight request may also include the following header:

  • Access-Control-Request-Headers
    Indicates which headers a future CORS request to the same resource might use.
@Dev-Destructor

This comment has been minimized.

Sign in to view
@annevk
Copy link
Member

annevk commented Oct 16, 2023

Wording nits:

  1. "and includes the following header"
  2. "can also include the following header"

For consistency with the surrounding sections.

@annevk annevk added topic: cors clarification Standard could be clearer labels Oct 16, 2023
@jub0bs jub0bs mentioned this issue Oct 24, 2023
Merged
@jub0bs
Copy link
Contributor Author

jub0bs commented Nov 7, 2023
edited
Loading

@annevk Any feedback? Are you happy with my changes? Or did I miss something in the requirements for this PR to get merged?

annevk pushed a commit that referenced this issue Nov 8, 2023
@jub0bs
Editorial: clarify preflight request headers
d6bf406 
Clarify that, although CORS-preflight requests systematically include an Access-Control-Request-Method header, they do not systematically include an Access-Control-Request-Headers header.

Fixes #1717.
@annevk
Copy link
Member

annevk commented Nov 8, 2023

All good, was just occupied with other things for a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification Standard could be clearer topic: cors
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Editorial: clarify preflight-request headers
3 participants
@annevk @jub0bs @Dev-Destructor