- From: Michael[tm] Smith <notifications@github.com>
- Date: Wed, 13 Oct 2021 02:34:16 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1330/review/778328188@github.com>
@sideshowbarker commented on this pull request. > @@ -2957,10 +2956,35 @@ if the <a>CORS protocol</a> is understood. It uses `<code>OPTIONS</code>` as <hr> -<p>In case a server does not wish to participate in the <a>CORS protocol</a>, its HTTP response to -the <a lt="CORS request">CORS</a> or <a>CORS-preflight request</a> must not include any of the above -<a for=/>headers</a>. The server is encouraged to use the 403 <a for=/>status</a> in such HTTP -responses. +<p>A successful HTTP response, i.e., one where the server developer intends to share it, to a +<a>CORS request</a> can use any <a for=/>status</a>, as long as it includes the <a for=/>headers</a> +stated above with <a for=header>values</a> matching up with the request. + +<p>A successful HTTP response to a <a>CORS-preflight request</a> is similar, except it is restricted +to an <a for=/>ok status</a>, e.g., 200 or 204. + +<p>Any other kind of HTTP response is not successful and will either end up not being shared or fail +the <a>CORS-preflight request</a>. Be aware that any work the server performs might nonetheless leak +through side channels such as timing. If server developers wish to denote this explicitly the 403 ```suggestion through side channels, such as timing. If server developers wish to denote this explicitly, the 403 ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1330#pullrequestreview-778328188
Received on Wednesday, 13 October 2021 09:34:29 UTC