Bug 92755 - CORS handling of 401 response to preflight incorrect (sends the actual POST anyway)
: CORS handling of 401 response to preflight incorrect (sends the actual POST a...
Status: NEW
Product: WebKit
Classification: Unclassified
Component: Page Loading
: 528+ (Nightly build)
: Unspecified Unspecified
: P2 Normal
Assigned To: Nobody
https://bugzilla.mozilla.org/show_bug...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-31 07:50 PDT by Boris Zbarsky
Modified: 2012-07-31 10:18 PDT (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Zbarsky 2012-07-31 07:50:07 PDT
Apparently if a preflight for an XHR POST returns a 401 (due to the site requiring Authorization headers), WebKit will send the main POST anyway, in violation of the spec.  Per spec, non-200 responses to a preflight mean the whole thing should be canceled.

See original report at http://code.google.com/p/chromium/issues/detail?id=139566 and see discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=778548
Comment 1 Alexey Proskuryakov 2012-07-31 09:58:50 PDT
Looking at public-webapps thread on the topic, there is a reason provided why the CORS draft specification should be changed (IIS with "Classic Application Pool" cannot be configured otherwise), but there is no explanation of why the requirement is necessary.

What is the reason for the requirement to reject non-200 responses? Given that the server sends Access-Control-* response header fields, it's not clear to me why it's beneficial.
Comment 2 Boris Zbarsky 2012-07-31 10:03:18 PDT
> What is the reason for the requirement to reject non-200 responses?

You could consider reading the thread in the mail archives that made the decision to do so...
Comment 3 Alexey Proskuryakov 2012-07-31 10:08:45 PDT
Good to know that it has been discussed. Do you have any pointers to that discussion?
Comment 4 Boris Zbarsky 2012-07-31 10:18:29 PDT
Not offhand; I'd have to search the archives, just like you...