Hi Ken,
the problem is not as simple as it looks like. We cannot use "simple" headers,
because if a browser detects any cross-domain query (different protocol/domain or port),
it will make a "preflight" OPTIONS request and if there are no proper CORS
headers in the response, the browser will refuse to make the real request (from
JavaScript). There is no way to disable these preflight requests (these are generated
internally by browsers).
Correct CORS headers for CardDavMATE/CalDavZAP looks like:
Access-Control-Allow-Origin *
=> everybody can make request to this server
Access-Control-Allow-Methods GET,POST,OPTIONS,PROPFIND,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK
=> all allowed methods (even if you return something like "unsupported" or
"not implemented" for some of them)
Access-Control-Allow-Headers
User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,X-client,X-Requested-With
=> all standard headers used by dav clients/browsers (sometime you need to add another
one for new client ... so it is good to have a configuration option for additional
headers)
JM
On May 29, 2013, at 4:28 PM, Ken Murchison <murch(a)andrew.cmu.edu> wrote:
Ján,
I'm adding support for CORS requests to my server and I'm wondering if there
any response headers that you need/want exposed. I'm not familiar with
XMLHttpRequest so I don't know what you have access to normally. Non-simple response
headers that I think might be useful:
Accept-Ranges
Content-Encoding
Content-Location
DAV
ETag
Lock-Token
Preference-Applied
Schedule-Tag
Right now, your client works fine without Access-Control-Expose-Headers in the response,
but I'm just trying to future-proof my code.
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University