Re: [CORS] HTTP error codes in preflight response from Jonas Sicking on 2010-09-22 (public-webapps@w3.org from July to September 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 22 Sep 2010 12:42:26 -0700
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Webapps WG <public-webapps@w3.org>
Message-ID: <AANLkTik_BfjhP3o+Aek_VsqqSjf+i1=RJ7wR1HO5bV8E@mail.gmail.com>

On Wed, Sep 22, 2010 at 12:34 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 22.09.2010 20:22, Jonas Sicking wrote:
>>
>> ...
>> First of all I assume that you're only talking about including
>> credentials if the 'credentials' flag is set, right?
>> ...
>
> Probably. I'm not totally familiar with the spec, I just observe its impact
> on certain scenarios :-).
>
>> This would require somewhat of a big change to CORS. Should we key the
>> 'preflight result cache' on if the 'credentials' flag is set or not?
>> What if a preflight was made with credentials and another is needed
>> without, can a cached result from the previous request be used?
>>
>> I'm not entirely opposed this change, but I'd like to know that it
>> really is a problem for servers to use the current setup. Can you
>> point to a server configuration that can't handle the current spec? My
>> understanding is that the server in the quoted bugzilla bug *is*
>> setting relevant headers, which means that CGI-like code is run and
>> the request isn't rejected by the server outright.
>
> My understanding is that it's common to check authentication before
> dispatching to method handlers.
>
> But even if it wasn't: there are servers that *do* use OPTIONS for things
> other than CORS, and that require authentication.
>
> Special casing the CORS request will be a lot of work; it would require
> inspecting the request to decide what to do.

So in these scenarios servers are set up to do authentication
verification before handing the request to CGI-like code (i.e. things
like php, asp, jsp, etc)? Can you point to any server software which
have such a setup?

It's not a problem if servers use OPTIONS for things other than CORS
and that those things require authentication. At some point you have
to inspect the OPTIONS request anyway to determine if it's an OPTIONS
request made for CORS, or one made for the other functionality. As
long as you do that check before the authentication check you should
be fine.

/ Jonas

Received on Wednesday, 22 September 2010 19:43:19 UTC