W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] Suggested HTTP error codes on forbidden origin, unsupported method, etc.?

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 29 Sep 2010 12:48:16 +0200
To: public-webapps <public-webapps@w3.org>, "Vladimir Dzhuvinov" <vladimir@dzhuvinov.com>
Message-ID: <op.vjsiyqx864w2qv@anne-van-kesterens-macbook-pro.local>
On Sun, 26 Sep 2010 12:01:59 +0200, Vladimir Dzhuvinov  
<vladimir@dzhuvinov.com> wrote:
> I looked at various CORS examples, but they were not particularly
> instructional on how the server should respond if the origin is not
> allowed or some other check fails. The CORS spec also seems to
> deliberately avoid this and leave it to the implementers.
> For my CORS servlet filter I'm planning to respond with
> HTTP 403 Forbidden - on a origin that is not allowed
> HTTP 405 Method not allowed - on an unsupported method
> Does this make sense?
> How should the server respond if it receives a custom header that is
> not listed as supported?

I suppose we could give advice, but it does not really matter as the  
client will always treat it as a network error to make it  
indistinguishable from other failures.

Anne van Kesteren
Received on Wednesday, 29 September 2010 10:48:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:11 UTC