W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 28 Feb 2013 09:24:49 -0500
Message-ID: <512F68B1.6000905@mit.edu>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CORS currently requires that a non-HTTP-200 response to a preflight be 
treated like a network error.

When I changed Gecko to do that, we discovered that at least GitHub's 
API sends 204 responses to preflights.  Furthermore, it appears that 
neither Trident nor WebKit enforce this restriction to 200-only (and in 
fact it's not clear to me whether they enforce any restrictions at all; 
needs testing).

I am changing Gecko back to our old behavior of accepting any 2xx 
response to a preflight, but the spec also needs to be changed.  It's 
not clear to me what the spec should say here; possible options are "any 
2xx response" or "200 or 204" or something else.  Feedback from WebKit 
and Trident folks on what they actually do is welcome.

Received on Thursday, 28 February 2013 14:25:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC