- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Sep 2010 21:49:39 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- CC: Webapps WG <public-webapps@w3.org>
On 22.09.2010 21:42, Jonas Sicking wrote: > ... > So in these scenarios servers are set up to do authentication > verification before handing the request to CGI-like code (i.e. things > like php, asp, jsp, etc)? Can you point to any server software which > have such a setup? > ... As far as I recollect, that's the default how a servlet container is configured. It's probably something that can be changed on a per-method basis, but I don't think it's common. > It's not a problem if servers use OPTIONS for things other than CORS > and that those things require authentication. At some point you have > to inspect the OPTIONS request anyway to determine if it's an OPTIONS > request made for CORS, or one made for the other functionality. As > long as you do that check before the authentication check you should > be fine. Yes, as long as you do that. I don't think you can rely on that. Best regards, Julian
Received on Wednesday, 22 September 2010 19:50:19 UTC