W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 28 Feb 2013 20:10:34 +0100
To: Boris Zbarsky <bzbarsky@MIT.EDU>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <p7avi85ag0obfqd0o6lvraon66atmcndsj@hive.bjoern.hoehrmann.de>
* Boris Zbarsky wrote:
>I am changing Gecko back to our old behavior of accepting any 2xx 
>response to a preflight, but the spec also needs to be changed.  It's 
>not clear to me what the spec should say here; possible options are "any 
>2xx response" or "200 or 204" or something else.  Feedback from WebKit 
>and Trident folks on what they actually do is welcome.

It seems this requirement has been added in the 2012 draft, so the more
interesting question would by what this is trying to accomplish. Last I
checked "CORS" did not use the response body here, so using 204 seems
quite natural: it saves around 20 bytes on the wire and there is less of
a risk to leak information through the service by accidentally sending a
body.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Thursday, 28 February 2013 19:11:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 19:11:02 GMT