- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Sep 2010 21:34:29 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 20:22, Jonas Sicking wrote: > ... > First of all I assume that you're only talking about including > credentials if the 'credentials' flag is set, right? > ... Probably. I'm not totally familiar with the spec, I just observe its impact on certain scenarios :-). > This would require somewhat of a big change to CORS. Should we key the > 'preflight result cache' on if the 'credentials' flag is set or not? > What if a preflight was made with credentials and another is needed > without, can a cached result from the previous request be used? > > I'm not entirely opposed this change, but I'd like to know that it > really is a problem for servers to use the current setup. Can you > point to a server configuration that can't handle the current spec? My > understanding is that the server in the quoted bugzilla bug *is* > setting relevant headers, which means that CGI-like code is run and > the request isn't rejected by the server outright. My understanding is that it's common to check authentication before dispatching to method handlers. But even if it wasn't: there are servers that *do* use OPTIONS for things other than CORS, and that require authentication. Special casing the CORS request will be a lot of work; it would require inspecting the request to decide what to do. Best regards, Julian
Received on Wednesday, 22 September 2010 19:35:08 UTC