W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

[CORS] Suggested HTTP error codes on forbidden origin, unsupported method, etc.?

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Sun, 26 Sep 2010 13:01:59 +0300
Message-ID: <AANLkTi=imfMkkGJN-W3vHd4nTqirtYybje+JVFXGyxGC@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
I looked at various CORS examples, but they were not particularly
instructional on how the server should respond if the origin is not
allowed or some other check fails. The CORS spec also seems to
deliberately avoid this and leave it to the implementers.

For my CORS servlet filter I'm planning to respond with

HTTP 403 Forbidden - on a origin that is not allowed
HTTP 405 Method not allowed - on an unsupported method

Does this make sense?

How should the server respond if it receives a custom header that is
not listed as supported?


Vladimir

-- 
Vladimir Dzhuvinov :: software.dzhuvinov.com
Received on Sunday, 26 September 2010 10:10:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT