- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 29 Sep 2010 12:48:16 +0200
- To: public-webapps <public-webapps@w3.org>, "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
On Sun, 26 Sep 2010 12:01:59 +0200, Vladimir Dzhuvinov <vladimir@dzhuvinov.com> wrote: > I looked at various CORS examples, but they were not particularly > instructional on how the server should respond if the origin is not > allowed or some other check fails. The CORS spec also seems to > deliberately avoid this and leave it to the implementers. > > For my CORS servlet filter I'm planning to respond with > > HTTP 403 Forbidden - on a origin that is not allowed > HTTP 405 Method not allowed - on an unsupported method > > Does this make sense? > > How should the server respond if it receives a custom header that is > not listed as supported? I suppose we could give advice, but it does not really matter as the client will always treat it as a network error to make it indistinguishable from other failures. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 29 September 2010 10:48:58 UTC