Fetch: specify default accept header on cors preflight

Created on 20 Aug 2019  路  12Comments  路  Source: whatwg/fetch

In https://crbug.com/995740 we have encountered a server that fails if the cors preflight options request does not have an accept header. It seems, though, the spec does not include accept on those requests.

The default accept / header is added in "perform a fetch" here:

https://fetch.spec.whatwg.org/#fetching

But cors preflight taps straight into "HTTP-network-or-cache fetch" further down the algorithm.

Is this intentional or an oversight in the spec?

compat good first issue needs tests cors

All 12 comments

Pretty sure it wasn't considered, though hard to say over a decade plus. Is the suggestion to always send Accept: */*?

Yea, I was wondering if it should get the default of Accept: */*.

I think that's a reasonable change FWIW.

This came up for chromium because we changed our CORS implementation recently. It seems prior to M76 we sent an accept header, but starting in M76 stopped sending the accept header.

Firefox Nightly seems to send Accept: */* on the cors preflight.

image

Its hard to quickly check safari since it doesn't seem to expose preflights to devtools network panel.

Confirmed that Safari also sends Accept: */* for the CORS preflight.
I will restore the original behavior to have the Accept in Chrome's new CORS.

Updated the title to reflect that the spec should be updated to match browser implementations.

So, browsers are going to send an extra header on every preflight, just because one server was erroneously counting on it?

That seems like a path to bad things happening. Accept is completely optional in requests, and HTTP requires servers to be able to deal without it.

No. Sending the accept header was the original behavior of all UAs including chromium.

We'd just want to confirm the spec description if it reflects the actual UAs' implementation so that we can ship a brand new CORS implementaton as much compatible as possible.

Even if this is an optional one, we'd have an explit explanation to say so in the spec. Otherwise, we will receive bug reports from users continuously.

So, browsers are going to send an extra header on every preflight, just because one server was erroneously counting on it?

It's more like, browsers have always sent the header on every preflight, but until one of them accidentally removed it, we didn't realize that the spec was not aligned with implementations in this regard. Now that we realize that, we're fixing the spec.

Not sending Accept in various places has been tried a couple times if I remember correctly and always ended up failing. I suspect that unfortunately servers use it as a high-level filter for clients.

Was this page helpful?
0 / 5 - 0 ratings