- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 16 Apr 2013 21:54:42 +0200
- To: "Pellerin, Clement" <Clement_Pellerin@ibi.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
* Pellerin, Clement wrote: >What should the value of the Allow header be in the response to a CORS preflight request? >Is the Allow header mandatory, optional, forbidden, ignored? If the "CORS" proposal does not add any requirements in this regard, then that is covered by the HTTP specification, and RFC 2616 says: A 200 response SHOULD include any header fields that indicate optional features implemented by the server and applicable to that resource (e.g., Allow), possibly including extensions not defined by this specification. [...] >What should a user agent client do when it gets inconsistent information >between the Allow header and the Access-Control-Allow-Methods header? They are different headers that do not overlap in what information they convey, so saying `Allow: PUT, ... Access-Control-Allow-Methods: GET` is not really inconsistent. An implementation of the "CORS" proposal would only look at the `Access-Control-Allow-Methods` header to determine the appropriate "CORS" handling. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 16 April 2013 19:55:10 UTC