[CORS] Suggested HTTP error codes on forbidden origin, unsupported method, etc.? from Vladimir Dzhuvinov on 2010-09-26 (public-webapps@w3.org from July to September 2010)

From: Vladimir Dzhuvinov <vladimir@dzhuvinov.com>
Date: Sun, 26 Sep 2010 13:01:59 +0300
To: public-webapps <public-webapps@w3.org>
Message-ID: <AANLkTi=imfMkkGJN-W3vHd4nTqirtYybje+JVFXGyxGC@mail.gmail.com>

I looked at various CORS examples, but they were not particularly
instructional on how the server should respond if the origin is not
allowed or some other check fails. The CORS spec also seems to
deliberately avoid this and leave it to the implementers.

For my CORS servlet filter I'm planning to respond with

HTTP 403 Forbidden - on a origin that is not allowed
HTTP 405 Method not allowed - on an unsupported method

Does this make sense?

How should the server respond if it receives a custom header that is
not listed as supported?


Vladimir

-- 
Vladimir Dzhuvinov :: software.dzhuvinov.com

Received on Sunday, 26 September 2010 10:10:31 UTC