- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Tue, 17 Nov 2009 23:42:29 +1300
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps@w3.org
- Message-ID: <11e306600911170242p49e4b18dr41cfe749eb647a93@mail.gmail.com>
On Tue, Nov 17, 2009 at 11:14 PM, Anne van Kesteren <annevk@opera.com>wrote: > On Tue, 17 Nov 2009 01:45:53 +0100, Robert O'Callahan < > robert@ocallahan.org> wrote: > >> This suggests that the client should expect --- and the server should send >> --- CORS headers such as Access-Control-Allow-Origin:* in HTTP error >> responses for "public" resources. Does that make sense? The spec seems to >> be silent on the issue. >> > > That's exactly what should happen, yes. The specification is status code > agnostic apart from redirects. Anything I can do that makes that more clear? > It might be worth explicitly mentioning that CORS headers can (and sometimes should) be included in error responses, perhaps with an example of when that would make sense. Maybe I'm over-paranoid but it just struck me (and Jeff Walden) as something that server implementers are likely to overlook. Thanks, Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Tuesday, 17 November 2009 10:43:02 UTC