Skip to content

What headers should a client be allowed to send? #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 11, 2021
Merged

What headers should a client be allowed to send? #39

merged 3 commits into from
Apr 11, 2021

Conversation

pietercolpaert
Copy link
Contributor

I see https://solid.github.io/web-access-control-spec/Background as a great background document on Cross Origin Resource Sharing. The document proposes a default set of headers to be allowed by all servers in the ecosystem.

With this pull request I would like to open the discussion to accepting more headers by default. For me in particular, the Accept header was lacking.

@pietercolpaert
Copy link
Contributor Author

Rereading the document I’m starting to doubt whether my pull request makes sense: is it possible that Access-Control-Expose-Headers is described, and not necessarily the Access-Control-Allow-Headers when a preflight response is given?

@acoburn
Copy link
Member

acoburn commented Mar 26, 2019

It is worth noting that Accept is considered a "Simple Header" by the CORS specification and as such it is not necessary to list it in the Access-Control-Allow-Headers preflight response.

Also, Access-Control-Expose-Headers refers to response headers that a web browser is allowed to accept from a server; Access-Control-Allow-Headers refers to request headers that a web browser is permitted to send.

@pietercolpaert
Copy link
Contributor Author

pietercolpaert commented Mar 26, 2019
edited
Loading

It is worth noting that Accept is considered a "Simple Header" by the CORS specification and as such it is not necessary to list it in the Access-Control-Allow-Headers preflight response.

The WhatWG fetch specification changed this recently: when, for example, your accept header is larger than 128 bytes, a preflight request gets sent regardless and he response Access-Control-Allow-Headers header need to include Accept. See whatwg/fetch#862

Also, Access-Control-Expose-Headers refers to response headers that a web browser is allowed to accept from a server; Access-Control-Allow-Headers refers to request headers that a web browser is permitted to send.

But isn’t Access-Control-Expose-Headers what the document describes while wrongly mentioning the Access-Control-Allow-Headers header?

@acoburn
Copy link
Member

acoburn commented Mar 26, 2019

@pietercolpaert that's interesting about the WhatWG fetch specification. That seems to suggest that adding Accept to the -Allow-Headers response would be appropriate. I certainly can't see why adding that would be incorrect: in the worst case, it's just redundant.

I think you're correct about -Expose and -Allow: in that background document, it appears that Access-Control-Expose-Headers is conflated with Access-Control-Allow-Headers, since the example includes both request and response headers.

@pietercolpaert
Copy link
Contributor Author

pietercolpaert commented Mar 27, 2019
edited
Loading

@acoburn I adapted this pull request to reflect this as discussed in the background document

@pietercolpaert
Copy link
Contributor Author

Can this be merged? At this moment the document is a bit confusing otherwise

@kjetilk kjetilk added this to the Spec Pull Requests milestone Apr 15, 2019
@csarven csarven merged commit d2d112f into solid:main Apr 11, 2021
@csarven
Copy link
Member

csarven commented Apr 11, 2021

Merging as is since it corrects background material.

Thanks @pietercolpaert .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Spec Pull Requests
Development

Successfully merging this pull request may close these issues.
4 participants
@pietercolpaert @acoburn @csarven @kjetilk