W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] HTTP error codes in preflight response

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 16:15:03 +0200
Message-ID: <4C9A0F67.1060709@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Webapps WG <public-webapps@w3.org>
On 21.09.2010 02:05, Jonas Sicking wrote:
> Hi All,
>
> CORS was recently clarified to say that error responses, such as
> 4xx/5xx responses, should not abort the various algorithms but instead
> such a response should be forwarded to, for example, the
> XMLHttpRequest implementation.
>
> However it seems somewhat strange to me to do this with responses to
> the preflight OPTIONS request. If a OPTIONS request results in a 404,
> then it seems to me that the request can not be considered successful,
> and that access to place the "real" request should not be granted.
> Otherwise we are essentially ignoring the status code and not exposing
> it anywhere, which seems strange.

I just stumbled upon 
<https://bugzilla.mozilla.org/show_bug.cgi?id=597301>, which is about a 
server that 401s the OPTIONS request.

It seems to me that CORS needs to handle this case. That is, the OPTIONS 
request should be repeated with credentials.

Best regards, Julian
Received on Wednesday, 22 September 2010 15:15:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT