W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2013

Re: CORS: Requirement for HTTP 200 response on preflight is not web-compatible and doesn't seem to be interoperably implemented

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 01 Mar 2013 03:07:11 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <p730j8t93g8rqt492nv1far7asjba9dabf@hive.bjoern.hoehrmann.de>
* Bjoern Hoehrmann wrote:
>It seems this requirement has been added in the 2012 draft, so the more
>interesting question would by what this is trying to accomplish. Last I
>checked "CORS" did not use the response body here, so using 204 seems
>quite natural: it saves around 20 bytes on the wire and there is less of
>a risk to leak information through the service by accidentally sending a

seems to be the reasoning behind rejecting anything but the status 200.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 1 March 2013 02:07:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:31 UTC