-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More wildcards in CORS when used without credentials #298
Conversation
@tyoshino review appreciated. @roryhewitt, @craigfrancis, @mozfreddyb, you might be interested in reviewing too. @sicking, I included your suggestion around |
@@ -1856,12 +1858,14 @@ <h4 id="http-new-header-syntax"><span class="secno">4.2.4 </span>HTTP new-header | |||
<pre>Access-Control-Request-Method = <a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.1.1">method</a> | |||
Access-Control-Request-Headers = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> | |||
|
|||
Access-Control-Allow-Origin = origin-or-null / "*" | |||
wilrdcard = "*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I highly suspect this to be a typo and it should read "wildcard"?
I thought a bit about this and I think one thing we should probably change is to make the CORS-preflight cache support wildcards directly. That could have a pretty dramatic impact on reducing chattiness. |
@annevk that would be nice. +1 from me. |
Access-Control-Allow-Credentials = %x74.72.75.65 ; "true", case-sensitive | ||
Access-Control-Expose-Headers = #<a class="external" data-anolis-spec="http" href="https://tools.ietf.org/html/rfc7230#section-3.2">field-name</a> | ||
Access-Control-Expose-Headers = field-name-or-wildcard |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be #field-name-or-wildcard (with a leading #?), and also contain the link to the IETF?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should have the leading #, but since this is not an IETF production this should not link.
I now changed it so that the CORS-preflight cache can store wildcards which should reduce chattiness a whole lot for non-credentialed requests (at the point user agents implement this, of course). |
@roryhewitt @tyoshino would you be so kind to look over the latest changes? I think this is ready, but I just want to be sure. |
@annevk I think the second example in section 4.2.6 should have the last line changed to something like this:
Basically showing developers that they can specify |
Ended up writing an extra paragraph. |
@annevk Perfect! |
<li><p>Let <var>headerNames</var> be the result of | ||
<span title=concept-header-parse>parsing</span> | ||
`<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in | ||
<var>response</var>'s <span title=concept-response-header-list>header list</span>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
paragraph not enclosed
Sorry for delay. lgtm but I want to make sure that it's fine that
This means that developers are basically required to coordinate use of the wildcard between client code and server. Right? [Edited] include -> omit |
@tyoshino yeah, I think that coordination has effectively always been required (it also applies to the wildcard case for origin). It might help if we start communicating that more clearly, but that would be a new request header and a separate discussion. |
ok. lgtm |
Thank you (and the others)! |
@annevk forgive my ignorance, but I'm not sure how this all goes together... If these new wildcard values are now in the master branch (and are what I see when I go to https://fetch.spec.whatwg.org/#http-new-header-syntax), does that mean that they are officially supported by all (major) browsers? Or is this just a new version of the Fetch spec, and as browsers add support for them, they will publicize this fact? |
@roryhewitt the latter. I wish it were that easy! |
Also not sure how this all goes together, but I noticed the following two don't match: Specifically: As I was writing this I realized the W3 recommendation was published in Jan 2014, so I guess we'll have to wait for a newer version to be published? Does the latest fetch spec's definition of Access-Control-Allow-Headers supersede the W3 recommendation? |
@tonyjin yes it does. W3C's copy of CORS is obsolete and should not be used. Unfortunately they have so far refused to clearly mark it as such. |
Hey Tony, Yes, the fetch spec on WHATWG (including the CORS headers) supersedes the Unfortunately, it appears to be a low priority to get this 'publicized' by, Note also that, although the latest fetch spec includes wildcards for the Perhaps @annevk can comment? Rory Sent from my phone - please excuse spelling & brevity... On Sep 15, 2016 12:34 PM, "Tony Jin" notifications@github.com wrote:
|
Thanks for clarifying and working on this @annevk & @roryhewitt - I ran into this PR after getting frustrated at adding Access-Control-Allow-Headers: [a bajillion headers] in nginx 🙄 |
Fixes #251 and fixes #252.