503200 - Content-Type header is not preflighted with OPTIONS request in Cross-Site XMLHttpRequest calls (violates CORS)

Status: RESOLVED FIXED

(Core :: XML, defect, P2)

Description

[Arun Ranganathan]

1. Visit the above URL
2. Click the button, and view TCP/HTTP traffic between client and server.
3. Observe all request headers that go across the wire after you click the button.

Current Behavior: You will notice that this script sets Content-Type using XMLHttpRequest, but that the Content-Type behavior is not preflighted with the initial OPTIONS request according to the CORS specification.

Expected Behavior: The Content-Type header should be preflighted using the Access-Control-Request-Headers CORS header along with the initial OPTIONS request.  Moreover, if server does not respond with Access-Control-Allow-Headers:CONTENT-TYPE the XMLHttpRequest call should fail.

Comment 1

[Christian :Biesinger (don't email me, ping me on IRC)]

not networking

Comment 2

[Johnny Stenback (:jst)]

Not holding 1.9.2 for this.

Comment 3

[Johnny Stenback (:jst)]

This is not an alpha blocker.

Comment 4

[embyte]

On Firefox 3.6 it works OK (the request is first preflight). Note that at the 2nd try no preflight is sent anymore thanks to the caching system.

Comment 5

[Mike Beltzner [:beltzner, not reading bugmail]]

jst: still blocking b2? or should this be betaN?

Comment 6

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Hmm.. thought i had marked this as depending on bug 597301.

Anyhow, the patches in bug 597301 should have fixed this. Testcases are also checked in of course.