Extracting all the moving parts from the above I get to the following variables:

Global Variables:

  • The list of allowed origins

Variables Per Resource:

  • whether the resource supports credentials. Which are cookies, HTTP authentication, or client-side SSL certificates.
  • a list of exposed headers (simple headers are always exposed)
  • an optional max-age in delta-seconds (could also be a global setting)
  • an list of allowed headers (simple headers are always allowed) (this we can derive from the headers that were deduced in the RestInterface for a given resource)

This is a very thorough list, and most implementation/people don't really care about most of it. They just want it to work.

I am just wondering how much a CORS implementation needs to support.

Out-of-the-box it should Just Work.

Anyway, what are your ideas?