W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] Suggested HTTP error codes on forbidden origin, unsupported method, etc.?

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 29 Sep 2010 12:48:16 +0200
To: public-webapps <public-webapps@w3.org>, "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
Message-ID: <op.vjsiyqx864w2qv@anne-van-kesterens-macbook-pro.local>
On Sun, 26 Sep 2010 12:01:59 +0200, Vladimir Dzhuvinov  
<vladimir@dzhuvinov.com> wrote:
> I looked at various CORS examples, but they were not particularly
> instructional on how the server should respond if the origin is not
> allowed or some other check fails. The CORS spec also seems to
> deliberately avoid this and leave it to the implementers.
>
> For my CORS servlet filter I'm planning to respond with
>
> HTTP 403 Forbidden - on a origin that is not allowed
> HTTP 405 Method not allowed - on an unsupported method
>
> Does this make sense?
>
> How should the server respond if it receives a custom header that is
> not listed as supported?

I suppose we could give advice, but it does not really matter as the  
client will always treat it as a network error to make it  
indistinguishable from other failures.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 29 September 2010 10:48:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT