![]() But why should this limitation apply to specifying which request headers are allowed? Headers aren't specific to a requesting domain like cookies. I understand that we can't have credentialed requests with Access-Control-Allow-Origin: * at least in part because cookies need to be specific to a domain, so if the response includes the Set-Cookie header, we need to know which domain it's going to be created in. Rory & what about allowing Access-Control-Allow-Headers: * even on credentialed requests? Reply to this email directly or view it on GitHub You are receiving this because you were mentioned. That's consistent with how Access-Control-Allow-Origin currently works,Īnd should be very safe and cover the common use cases. If at that point a * is received forĮither of those headers, the header is ignored. Value for all of Access-Control-Allow-Origin, Access-Control-Allow-HeadersĪnd Access-Control-Allow-Methods. When Access-Control-Allow-Credentials: true is set, then * is a forbidden and Access-Control-Allow-Methods: *, but only when Access-Control-Allow-Credentials:. ![]() On Tue, at 11:26 AM, Jonas Sicking really like the idea that we allow Access-Control-Allow-Origin: *, Access-Control-Allow-Headers: From a conceptual POV, AC-Allow-Headers and AC-Allow-Methods are Server ACTUALLY responds to a DELETE request, but it might raise some redįlags. The preflight OPTIONS response here, and there's no requirement that the Specify Access-Control-Allow-Methods: *, since that is effectively saying One thought: A webserver admin might look at this and say "I don't want to I'm fine with adding * support for all three of these headers (if
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |