W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2013

Re: CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Thu, 28 Feb 2013 15:55:41 +0100
Message-Id: <1362063341.25250.140661198201093.4D0FC861@webmail.messagingengine.com>
To: public-webappsec@w3.org
On Thu, Feb 28, 2013, at 03:48 PM, Odin Hørthe Omdal wrote:
> On Thu, Feb 28, 2013, at 03:24 PM, Boris Zbarsky wrote:
> > CORS currently requires that a non-HTTP-200 response to a preflight be 
> > treated like a network error.
> WebKit does not restrict it to anything. My IE10 VM doesn't work anymore
> so I can't check that right now.
> Anyway, opening up for 2xx seems quite a-ok IMHO. I'd be more reluctant
> to go the full buggy WebKit-route in the spec.

Okay, this was just too intriguing so I nagged someone with Windows and
only the test for 204 fails there. So they actually block the other
ones. I don't really know about other 200'ds though, because I didn't
write tests for those there.

So yes, it seems like 2/3 allow 204. And GitHub is no small site.
Although what a strange thing of them to do.

  Odin Hørthe Omdal
Received on Thursday, 28 February 2013 14:56:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC