CORS Allow header in preflight response from Pellerin, Clement on 2013-04-16 (public-webappsec@w3.org from April 2013)

From: Pellerin, Clement <Clement_Pellerin@ibi.com>
Date: Tue, 16 Apr 2013 14:28:45 -0400
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <9892EC6224DBC54598164D1F77721D7572AED5C38C@IBIUSMBSB.ibi.com>

What should the value of the Allow header be in the response to a CORS preflight request?
Is the Allow header mandatory, optional, forbidden, ignored?

What should a user agent client do when it gets inconsistent information between the Allow header and the Access-Control-Allow-Methods header?

Received on Tuesday, 16 April 2013 18:29:58 UTC