Solving a CORS
issue, I was wondering what are the valid values for the HTTP response header Access-Control-Allow-Headers
.
The Whatwg CORS spec on header syntax tells me in ABNF that :
Access-Control-Allow-Headers = #field-name
And the RFC7230 tells me that :
field-name = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
In addition, Whatwg states that :
ABNF means ABNF as augmented by HTTP (in particular the addition #) and RFC 7405. [RFC7405]
OK, I now know that this response header is invalid:
Access-Control-Allow-Headers: Origin, Content-Type, content type, Accept, Authorization
field-name should not contain a white space, but this leads to my question :
Where is the normative reference for #symbol
in whatwg ABNF? It's not the the RFC5234 defining the ABNF syntax. I guest it's something like a comma separated fields, but I did not find a real reference.
PS: the question is not "What are the valid values for Access-Control-Allow-Headers
"
This "as augmented by HTTP (in particular the addition #)" comes from RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing section 7. ABNF List Extension: #rule:
A #rule extension to the ABNF rules of [RFC5234] is used to improve readability in the definitions of some header field values.
A construct "#" is defined, similar to "*", for defining comma-delimited lists of elements. The full form is "
<n>#<m>element
" indicating at least<n>
and at most<m>
elements, each separated by a single comma (",") and optional whitespace (OWS).In any production that uses the list construct, a sender must not generate empty list elements. In other words, a sender must generate lists that satisfy the following syntax:
1#element => element *( OWS "," OWS element )
(...)
So #field-name
becomes "zero or more field-name
(separated by commas and surrounded by optional linear whitespace)", because n and m default to 0 and infinity, respectively.