Re: CORS test status from Toni Ruottu on 2012-09-25 (public-webappsec@w3.org from September 2012)

From: Toni Ruottu <toni.ruottu@iki.fi>
Date: Tue, 25 Sep 2012 21:38:11 +0300
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: Toni Ruottu <toni.ruottu@iki.fi>, "gopal.raghavan@nokia.com" <gopal.raghavan@nokia.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CA+F4AWrhKhKuSXKUGTR5agUwCMR-N0GmU_+L=D-r=ZyuK8DaNA@mail.gmail.com>

So the test is useful, but the outcome expected by the test should be
changed to match the specification.

Do we also need another test that sends valid headers with the preflight?

On Tuesday, 25 September 2012, Boris Zbarsky wrote:

> On 9/25/12 2:15 PM, Toni Ruottu wrote:
>
>> What is the expected behaviour?
>>
>
> Of browsers, or the server?
>
> The expected behavior of a server that wants to allow the main request is
> to reply to the preflight with relevant Access-Control-Allow-Origin headers
> and such.
>
> The expected behavior of browsers when a server does not do that is to not
> do the main request.  Which is what they're doing.
>
> -Boris
>

Received on Tuesday, 25 September 2012 18:38:39 UTC