mirror of
https://github.com/matrix-org/matrix-spec
synced 2025-12-20 16:38:37 +01:00
d7cf63d981
This change drops the Origin and Accept header names from the recommended value for the CORS Access-Control-Allow-Headers header. Per the CORS protocol, it’s not necessary or useful to include them. Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: Related: https://github.com/matrix-org/synapse/pull/10114 Signed-off-by: Michael[tm] Smith <mike@w3.org> |
||
|---|---|---|
| .. | ||
| client-server-api | ||
| rooms | ||
| _index.md | ||
| appendices.md | ||
| application-service-api.md | ||
| changelog.md | ||
| identity-service-api.md | ||
| proposals.md | ||
| push-gateway-api.md | ||
| server-server-api.md | ||