On 22.09.2010 20:22, Jonas Sicking wrote:
... First of all I assume that you're only talking about including credentials if the 'credentials' flag is set, right? ...
Probably. I'm not totally familiar with the spec, I just observe its impact on certain scenarios :-).
This would require somewhat of a big change to CORS. Should we key the 'preflight result cache' on if the 'credentials' flag is set or not? What if a preflight was made with credentials and another is needed without, can a cached result from the previous request be used? I'm not entirely opposed this change, but I'd like to know that it really is a problem for servers to use the current setup. Can you point to a server configuration that can't handle the current spec? My understanding is that the server in the quoted bugzilla bug *is* setting relevant headers, which means that CGI-like code is run and the request isn't rejected by the server outright.
My understanding is that it's common to check authentication before dispatching to method handlers.
But even if it wasn't: there are servers that *do* use OPTIONS for things other than CORS, and that require authentication.
Special casing the CORS request will be a lot of work; it would require inspecting the request to decide what to do.
Best regards, Julian
