- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 28 Feb 2013 20:10:34 +0100
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
* Boris Zbarsky wrote: >I am changing Gecko back to our old behavior of accepting any 2xx >response to a preflight, but the spec also needs to be changed. It's >not clear to me what the spec should say here; possible options are "any >2xx response" or "200 or 204" or something else. Feedback from WebKit >and Trident folks on what they actually do is welcome. It seems this requirement has been added in the 2012 draft, so the more interesting question would by what this is trying to accomplish. Last I checked "CORS" did not use the response body here, so using 204 seems quite natural: it saves around 20 bytes on the wire and there is less of a risk to leak information through the service by accidentally sending a body. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Thursday, 28 February 2013 19:11:02 UTC