Re: [whatwg/fetch] CORS: more information for server developers (#1330) from Ross A. Baker on 2021-10-12 (public-webapps-github@w3.org from October 2021)

From: Ross A. Baker <notifications@github.com>
Date: Tue, 12 Oct 2021 10:26:56 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1330/review/777667467@github.com>

@rossabaker commented on this pull request.

This is a nice addition!

I've seen implementations add CORS headers when the `Origin` is allowed, and respond with a 403 when not.  Similarly, they return a 403 on preflight requests if any `Access-Control-Request-*` headers represent a disallowed value.  This seems like a middle ground between a "dynamic response" and "not partaking in the CORS protocol."  It's not disallowed by this spec, but whether that behavior is correct or recommended confused me during my implementation.

I also thought I read somewhere that some client implementations don't cope with a 204 response to preflight requests, but I can't find the reference now.  If that's true, that's worth highlighting, because returning 204 was my first instinct.



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1330#pullrequestreview-777667467

Received on Tuesday, 12 October 2021 17:27:08 UTC