2014-01-31

Access-Control-Allow-Credentials

久々にhtml5とか勉強会に行ってみたんだけど、最後の質問の話。Access-Control-Allow-Credentialsについて。質問内容としては、XMLHttpRequest Level 2でクレデンシャルフラグがセットされた時にAccess-Control-Allow-Credentialsをtrueにしないとどうなるか。

スペックの部分はこういうことになってる。
7.2 Resource Sharing Check
  1. If the response includes zero or more than one Access-Control-Allow-Origin header values, return fail and terminate this algorithm.
  2. If the Access-Control-Allow-Origin header value is the "*" character and the omit credentials flag is set, return pass and terminate this algorithm.
  3. If the value of Access-Control-Allow-Origin is not a case-sensitive match for the value of the Origin header as defined by its specification, return fail and terminate this algorithm.
  4. If the omit credentials flag is unset and the response includes zero or more than one Access-Control-Allow-Credentials header values, return fail and terminate this algorithm.
  5. If the omit credentials flag is unset and the Access-Control-Allow-Credentials header value is not a case-sensitive match for "true", return fail and terminate this algorithm.
  6. Return pass.

ということでAccess-Control-Allow-Credentials: trueにしないとfailするってことらしい。ちなみにこれをレスポンスヘッダへ複数設定した場合もfailするとのこと