fetch icon indicating copy to clipboard operation
fetch copied to clipboard
verified publisher icon whatwg

Use structured fields for CORS headers

Open letitz opened this issue 4 years ago • 2 comments

Private Network Access is considering using structured fields for the new Access-Control-Allow-Private-Network header in https://github.com/WICG/private-network-access/issues/45. This header should be kept consistent with the existing Access-Control-Allow-Credentials header defined by the CORS protocol, since they both accept a single value: "true".

It would be nice to modernize the existing ABNF-defined CORS header syntax to use structured fields instead.

To avoid backwards-incompatibility, the Allow-Credentials header in particular should probably be defined as a token instead of a boolean, which is unfortunate but surmountable.

It is less clear what to do with the Access-Control-{Request,Allow}-{Method,Headers} headers. Their syntax might be subtly different from that expected by structured fields' "list of tokens" type?

letitz avatar Apr 14 '21 09:04 letitz

(Slightly related: #814.)

annevk avatar Apr 14 '21 09:04 annevk

To be clear, unless they are fully compatible I don't think it's worth making changes here. It does seem fine to upgrade some (that are compatible) and not others (that are not).

annevk avatar Dec 02 '21 16:12 annevk