W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] HTTP error codes in preflight response

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Sep 2010 21:49:39 +0200
Message-ID: <4C9A5DD3.1050509@gmx.de>
To: Jonas Sicking <jonas@sicking.cc>
CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 21:42, Jonas Sicking wrote:
> ...
> So in these scenarios servers are set up to do authentication
> verification before handing the request to CGI-like code (i.e. things
> like php, asp, jsp, etc)? Can you point to any server software which
> have such a setup?
> ...

As far as I recollect, that's the default how a servlet container is 
configured. It's probably something that can be changed on a per-method 
basis, but I don't think it's common.

> It's not a problem if servers use OPTIONS for things other than CORS
> and that those things require authentication. At some point you have
> to inspect the OPTIONS request anyway to determine if it's an OPTIONS
> request made for CORS, or one made for the other functionality. As
> long as you do that check before the authentication check you should
> be fine.

Yes, as long as you do that. I don't think you can rely on that.

Best regards, Julian
Received on Wednesday, 22 September 2010 19:50:19 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT