W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] HTTP error codes in preflight response

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 21:34:29 +0200
Message-ID: <4C9A5A45.7080704@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 20:22, Jonas Sicking wrote:
> ...
> First of all I assume that you're only talking about including
> credentials if the 'credentials' flag is set, right?
> ...

Probably. I'm not totally familiar with the spec, I just observe its 
impact on certain scenarios :-).

> This would require somewhat of a big change to CORS. Should we key the
> 'preflight result cache' on if the 'credentials' flag is set or not?
> What if a preflight was made with credentials and another is needed
> without, can a cached result from the previous request be used?
>
> I'm not entirely opposed this change, but I'd like to know that it
> really is a problem for servers to use the current setup. Can you
> point to a server configuration that can't handle the current spec? My
> understanding is that the server in the quoted bugzilla bug *is*
> setting relevant headers, which means that CGI-like code is run and
> the request isn't rejected by the server outright.

My understanding is that it's common to check authentication before 
dispatching to method handlers.

But even if it wasn't: there are servers that *do* use OPTIONS for 
things other than CORS, and that require authentication.

Special casing the CORS request will be a lot of work; it would require 
inspecting the request to decide what to do.

Best regards, Julian
Received on Wednesday, 22 September 2010 19:35:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT