- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 13 Oct 2021 00:51:16 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1330/review/778212153@github.com>
@annevk commented on this pull request. > -<a for=/>headers</a>. The server is encouraged to use the 403 <a for=/>status</a> in such HTTP -responses. +<p>Server developers have a lot of freedom in how they handle responses and these tactics can differ +between the response to the <a>CORS-preflight request</a> and the <a>CORS request</a> that follows +it: + +<ul> + <li><p>They can provide a static response. This can be helpful when working with caching + intermediaries. The client will perform validation of the response before exposing it, though side + channels such as timing might inadvertently leak information. + + <li><p>They can provide a dynamic response, tuned to the exact request headers. This can be helpful + when the response body is to be tailored to a specific origin. + + <li><p>They can decide not to partake in the <a>CORS protocol</a> by not including the relevant + response headers. In such cases using the 403 status is encouraged. Not including the normal I think @mnot made this suggestion. Of the status codes that are on offer this does seem the most appropriate one. And it can be better for security to send a different response (although that response could have a 200 as well, of course). I suppose we could note that including the necessary CORS headers on this alternative response might aid in debugging. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1330#discussion_r727792712
Received on Wednesday, 13 October 2021 07:51:28 UTC