On 22.09.2010 21:42, Jonas Sicking wrote:
... So in these scenarios servers are set up to do authentication verification before handing the request to CGI-like code (i.e. things like php, asp, jsp, etc)? Can you point to any server software which have such a setup? ...
As far as I recollect, that's the default how a servlet container is configured. It's probably something that can be changed on a per-method basis, but I don't think it's common.
It's not a problem if servers use OPTIONS for things other than CORS and that those things require authentication. At some point you have to inspect the OPTIONS request anyway to determine if it's an OPTIONS request made for CORS, or one made for the other functionality. As long as you do that check before the authentication check you should be fine.
Yes, as long as you do that. I don't think you can rely on that. Best regards, Julian
