1

Context

Solving a CORS issue, I was wondering what are the valid values for the HTTP response header Access-Control-Allow-Headers.

The Whatwg CORS spec on header syntax tells me in ABNF that :

Access-Control-Allow-Headers = #field-name

And the RFC7230 tells me that :

field-name     = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA

In addition, Whatwg states that :

ABNF means ABNF as augmented by HTTP (in particular the addition #) and RFC 7405. [RFC7405]

OK, I now know that this response header is invalid:

Access-Control-Allow-Headers: Origin, Content-Type, content type, Accept, Authorization

field-name should not contain a white space, but this leads to my question :

Question

Where is the normative reference for #symbol in whatwg ABNF? It's not the the RFC5234 defining the ABNF syntax. I guest it's something like a comma separated fields, but I did not find a real reference.

PS: the question is not "What are the valid values for Access-Control-Allow-Headers"

Community
  • 1
  • 1
Gabriel Glenn
  • 1,174
  • 1
  • 13
  • 30

1 Answers1

3

This "as augmented by HTTP (in particular the addition #)" comes from RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing section 7. ABNF List Extension: #rule:

A #rule extension to the ABNF rules of [RFC5234] is used to improve readability in the definitions of some header field values.

A construct "#" is defined, similar to "*", for defining comma-delimited lists of elements. The full form is "<n>#<m>element" indicating at least <n> and at most <m> elements, each separated by a single comma (",") and optional whitespace (OWS).

In any production that uses the list construct, a sender must not generate empty list elements. In other words, a sender must generate lists that satisfy the following syntax:

1#element => element *( OWS "," OWS element )

(...)

So #field-name becomes "zero or more field-name (separated by commas and surrounded by optional linear whitespace)", because n and m default to 0 and infinity, respectively.

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
CodeCaster
  • 147,647
  • 23
  • 218
  • 272
  • True, but a more recent definition is in RFC 7230, Section 7. () – Julian Reschke Sep 28 '20 at 12:38
  • @Julian thanks, I've updated the answer, feel free to include more details. – CodeCaster Sep 28 '20 at 12:44
  • Well done ! Did you knew the answer or did you searched it ? If you searched it, how did you searched ? I always kind of struggle when I query a SE with a request containing a special character. – Gabriel Glenn Sep 28 '20 at 13:00
  • @Gabriel I clicked your links and searched for related terms, ultimately ending up at RFC 2616 when searching "http abnf augmented #" or something like that. I don't use Stack Overflow's search, onsite search almost never works. I have to admit I've read all HTTP and related RFCs once or more for fun, so it rang a bell – CodeCaster Sep 28 '20 at 13:03