jub0bs

@NicoPowers The case of headers cannot be the root cause of the issue you're experiencing, as header names are case-insensitive. Rather, the `401` status code you're getting suggests that some...

@annevk I've reframed/retitled this issue. Recommending that servers follow the steps of CORS-preflight fetch would make CORS issues easier to debug and, thereby, would likely alleviate the troubles of users...

> The tradeoff here is that you end up giving more information to potential attackers. That's true, but I wonder two things: 1. Would such information be valuable to an...

1 My main question is whether the information thus revealed (not even considering timing attacks indeed) would be pertinent to an attacker. Only if the answer is "yes" should we...

@sideshowbarker I'd be curious to hear your thoughts about this, especially given [your long history of helping people troubleshoot their CORS issues on Stack Overflow](https://stackoverflow.com/search?q=user%3A441757+%5Bcors%5D). 🙏

Regardless of any changes to the Fetch standard, perhaps the best of both worlds is possible after all. FWIW, I'm currently augmenting my CORS-middleware library with a [debug mode, which...

@annevk Wouldn't it be premature? My understanding is that [Fetch Metadata](https://w3c.github.io/webappsec-fetch-metadata/) will [eventually](https://fetch.spec.whatwg.org/#goals) get merged into the Fetch standard. Correct? Until then, though, I'm not sure the Fetch standard should...

Now that I think about it, a similar consideration involves the `Access-Control-Expose-Headers`. In the case of a resource that - systematically includes `Access-Control-Allow-Origin: https://example.com` in all responses, - omits the...

@annevk > Perhaps we should update this advice to talk about the Sec-Fetch-Mode request header instead. What do you have in mind?

@jepsar Be careful: not all `OPTIONS` request including an `Origin` header are preflight requests. To be sure that you're dealing with a preflight request, you should check that the request...