Treatment of empty-valued Access-Control-Request-Headers #459
Comments
|
Yeah, given that it causes issues we should definitely change it back. I don't think this change was even intentional. Do you prefer your name with "o" or "ø" by the way? I've seen you use both forms. |
|
Thanks for quickly following up, appreciated. I'll re-sync Blink, the crbug issue suggests that it is the only one that had changed. (Passport uses ø, only preference is not having encoding issues :) ) |
annevk
added a commit
to web-platform-tests/wpt
that referenced
this issue
Jan 18, 2017
dougt
pushed a commit
to dougt/chromium
that referenced
this issue
Jan 18, 2017
Following whatwg/fetch#459 , the above preflight header should not be included if the request following CORS has no headers to enumerate in a preflight. R=tyoshino,yhirano BUG=633729 Review-Url: https://codereview.chromium.org/2633423003 Cr-Commit-Position: refs/heads/master@{#444303}
annevk
added a commit
to web-platform-tests/wpt
that referenced
this issue
Jan 19, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Following steps 3-5 of https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 , a CORS-preflight request will always include a "Access-Control-Request-Headers" mapping, even if |headers| is empty. (Which is consistent with https://fetch.spec.whatwg.org/#http-new-header-syntax)
This represents a change from earlier treatments of this header value for preflights ( https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0 ), which left it out if the preflighted requests only had CORS-safelisted headers (nee author request headers)... even though it was spec'ed as legal to send an empty value.
This is change in behaviour is causing some downstream services to fail upon encountering such an empty-valued header, see https://crbug.com/633729 . Might it be worth considering limiting ACRH to non-empty values?
The text was updated successfully, but these errors were encountered: