W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2012

Re: CORS test status

From: Toni Ruottu <toni.ruottu@iki.fi>
Date: Tue, 25 Sep 2012 21:38:11 +0300
Message-ID: <CA+F4AWrhKhKuSXKUGTR5agUwCMR-N0GmU_+L=D-r=ZyuK8DaNA@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Toni Ruottu <toni.ruottu@iki.fi>, "gopal.raghavan@nokia.com" <gopal.raghavan@nokia.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
So the test is useful, but the outcome expected by the test should be
changed to match the specification.

Do we also need another test that sends valid headers with the preflight?

On Tuesday, 25 September 2012, Boris Zbarsky wrote:

> On 9/25/12 2:15 PM, Toni Ruottu wrote:
>
>> What is the expected behaviour?
>>
>
> Of browsers, or the server?
>
> The expected behavior of a server that wants to allow the main request is
> to reply to the preflight with relevant Access-Control-Allow-Origin headers
> and such.
>
> The expected behavior of browsers when a server does not do that is to not
> do the main request.  Which is what they're doing.
>
> -Boris
>
Received on Tuesday, 25 September 2012 18:38:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 25 September 2012 18:38:39 GMT