Re: PROPFIND vs "simple methods", was: [CORS] HTTP error codes in preflight response from Jonas Sicking on 2010-09-22 (public-webapps@w3.org from July to September 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 22 Sep 2010 11:05:59 -0700
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Webapps WG <public-webapps@w3.org>
Message-ID: <AANLkTinKRJV2XkV2wPUEnpGvi3LZn10k+_kyZV67bpPR@mail.gmail.com>

On Wed, Sep 22, 2010 at 8:59 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 22.09.2010 16:15, Julian Reschke wrote:
>>
>> On 21.09.2010 02:05, Jonas Sicking wrote:
>>>
>>> Hi All,
>>>
>>> CORS was recently clarified to say that error responses, such as
>>> 4xx/5xx responses, should not abort the various algorithms but instead
>>> such a response should be forwarded to, for example, the
>>> XMLHttpRequest implementation.
>>>
>>> However it seems somewhat strange to me to do this with responses to
>>> the preflight OPTIONS request. If a OPTIONS request results in a 404,
>>> then it seems to me that the request can not be considered successful,
>>> and that access to place the "real" request should not be granted.
>>> Otherwise we are essentially ignoring the status code and not exposing
>>> it anywhere, which seems strange.
>>
>> I just stumbled upon
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=597301>, which is about a
>> server that 401s the OPTIONS request.
>>
>> It seems to me that CORS needs to handle this case. That is, the OPTIONS
>> request should be repeated with credentials.
>> ...
>
> Related to the same bug, see
> <https://bugzilla.mozilla.org/show_bug.cgi?id=597301#c8>:
>
> Also, out of curiosity: why is there a preflight request for PROPFIND
> anyway?
>
> CORS, 6.1.5.:
>
> "To protect resources against cross-origin access with methods that have
> side effects an preflight request is made to ensure that the resource is ok
> with the request."
>
> AS PROPFIND is a safe request, it doesn't seem to need the preflight request
> (per rational), so maybe it (and other safe methods) should be added to the
> list of "simple" methods.
>
> Speaking of which, POST is listed as "simple" but definitively *has* side
> effects. Maybe all of this needs to be rephrased .-).

For what it's worth, I think "simple" is meant as "Must be handled by
servers today as HTML implementations can already send this request
cross site". Not as the HTTP definition of "must/should not have side
effects".

That said, I don't feel strongly either way of if PROPFIND should be
preflighted or not. But we would definitely have to ask "are you sure
that servers follow the spec and don't have side effects". I'll note
that it's well known that GET requests often have side effects despite
http saying they shouldn't.

/ Jonas

Received on Wednesday, 22 September 2010 18:14:46 UTC