W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 28 Feb 2013 09:24:49 -0500
Message-ID: <512F68B1.6000905@mit.edu>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CORS currently requires that a non-HTTP-200 response to a preflight be 
treated like a network error.

When I changed Gecko to do that, we discovered that at least GitHub's 
API sends 204 responses to preflights.  Furthermore, it appears that 
neither Trident nor WebKit enforce this restriction to 200-only (and in 
fact it's not clear to me whether they enforce any restrictions at all; 
needs testing).

I am changing Gecko back to our old behavior of accepting any 2xx 
response to a preflight, but the spec also needs to be changed.  It's 
not clear to me what the spec should say here; possible options are "any 
2xx response" or "200 or 204" or something else.  Feedback from WebKit 
and Trident folks on what they actually do is welcome.

-Boris
Received on Thursday, 28 February 2013 14:25:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 14:25:21 GMT