On Sun, 26 Sep 2010 12:01:59 +0200, Vladimir Dzhuvinov
<vladi...@dzhuvinov.com> wrote:
I looked at various CORS examples, but they were not particularly
instructional on how the server should respond if the origin is not
allowed or some other check fails. The CORS spec also seems to
deliberately avoid this and leave it to the implementers.
For my CORS servlet filter I'm planning to respond with
HTTP 403 Forbidden - on a origin that is not allowed
HTTP 405 Method not allowed - on an unsupported method
Does this make sense?
How should the server respond if it receives a custom header that is
not listed as supported?
I suppose we could give advice, but it does not really matter as the
client will always treat it as a network error to make it
indistinguishable from other failures.
--
Anne van Kesteren
http://annevankesteren.nl/
