On 11/17/2009 02:42 AM, Robert O'Callahan wrote:
It might be worth explicitly mentioning that CORS headers can (and sometimes should) be included in error responses, perhaps with an example of when that would make sense. Maybe I'm over-paranoid but it just struck me (and Jeff Walden) as something that server implementers are likely to overlook.
A couple data points: Apache's header-addition directive currently isn't applied to 416 responses; a cursory search suggests that quirk (it's hard to call it a bug except with respect to CORS's particular requirements) might not be in Apache's bug database. Mozilla had to alter its HTTP test server specifically to apply its flavor of header directives to 416 responses. The thought never even crossed my mind that 416 responses might want those customized headers when I reviewed the server's byte-range patch. When fail-fast, fail-silently-and-securely is the default mode of thinking (as it should be when implementing any sort of server), it's an easy thing to forget that custom headers should sometimes be applied to error responses. Explicitly noting that some error responses may require CORS headers would have made me more sensitive to that possibility when I was giving advice as to how to write tests using CORS, and it would have made it more likely I'd have seen the potential problem rather than learned it through someone else's debugging efforts. Jeff
