W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: CORS Allow header in preflight response

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 16 Apr 2013 21:54:42 +0200
To: "Pellerin, Clement" <Clement_Pellerin@ibi.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <vaarm81g4l3n0v3oluta62slpvl72b6c0o@hive.bjoern.hoehrmann.de>
* Pellerin, Clement wrote:
>What should the value of the Allow header be in the response to a CORS preflight request?
>Is the Allow header mandatory, optional, forbidden, ignored?

If the "CORS" proposal does not add any requirements in this regard,
then that is covered by the HTTP specification, and RFC 2616 says:

   A 200 response SHOULD include any header fields that indicate
   optional features implemented by the server and applicable to that
   resource (e.g., Allow), possibly including extensions not defined by
   this specification. [...]

>What should a user agent client do when it gets inconsistent information 
>between the Allow header and the Access-Control-Allow-Methods header?

They are different headers that do not overlap in what information they
convey, so saying `Allow: PUT, ... Access-Control-Allow-Methods: GET` is
not really inconsistent. An implementation of the "CORS" proposal would
only look at the `Access-Control-Allow-Methods` header to determine the
appropriate "CORS" handling.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 16 April 2013 19:55:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC