W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 01 Mar 2013 03:07:11 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <p730j8t93g8rqt492nv1far7asjba9dabf@hive.bjoern.hoehrmann.de>
* Bjoern Hoehrmann wrote:
>It seems this requirement has been added in the 2012 draft, so the more
>interesting question would by what this is trying to accomplish. Last I
>checked "CORS" did not use the response body here, so using 204 seems
>quite natural: it saves around 20 bytes on the wire and there is less of
>a risk to leak information through the service by accidentally sending a
>body.

http://lists.w3.org/Archives/Public/public-webapps/2010JulSep/0971.html
seems to be the reasoning behind rejecting anything but the status 200.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 1 March 2013 02:07:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 March 2013 02:07:41 GMT