W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS and HTTP error responses

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 17 Nov 2009 23:42:29 +1300
Message-ID: <11e306600911170242p49e4b18dr41cfe749eb647a93@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org
On Tue, Nov 17, 2009 at 11:14 PM, Anne van Kesteren <annevk@opera.com>wrote:

> On Tue, 17 Nov 2009 01:45:53 +0100, Robert O'Callahan <
> robert@ocallahan.org> wrote:
>
>> This suggests that the client should expect --- and the server should send
>> --- CORS headers such as Access-Control-Allow-Origin:* in HTTP error
>> responses for "public" resources. Does that make sense? The spec seems to
>> be silent on the issue.
>>
>
> That's exactly what should happen, yes. The specification is status code
> agnostic apart from redirects. Anything I can do that makes that more clear?
>

It might be worth explicitly mentioning that CORS headers can (and sometimes
should) be included in error responses, perhaps with an example of when that
would make sense. Maybe I'm over-paranoid but it just struck me (and Jeff
Walden) as something that server implementers are likely to overlook.

Thanks,
Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
Received on Tuesday, 17 November 2009 10:43:02 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT