What are proper status codes for CORS preflight requests?
Asked Answered
L

3

50

What status code should a well-written HTTP server return when it gets a CORS preflight (OPTIONS) request?

200, 204 or something else?

Should the status code be different in case origin is allowed (and corresponding headers will be set) or not allowed (and CORS headers will not be set or will not match the origin)?

Lulalulea answered 3/9, 2017 at 18:8 Comment(0)
P
56

The gist of it is, just use 200.

A little more generally: You should just send back the same status code for the CORS preflight OPTIONS request that you’d send back for any other OPTIONS request. The relevant specs don’t require or recommend anything more than that.

What the specs say: The Fetch spec at https://fetch.spec.whatwg.org/ is where requirements for the CORS protocol are defined, and it says the status can be anything in the range 200-299.

That’s from the CORS-preflight fetch algorithm, in a step saying it can be any “ok status":

If a CORS check for request and response returns success and response’s status is
an ok status, run these substeps: …

And as far as what an “ok status” is, the spec says this:

An ok status is any status in the range 200 to 299, inclusive.

Beyond that though, the Fetch spec doesn’t recommend any particular status within 200-299.

The other relevant spec here is the HTTP 1.1 spec, which has a section defining semantics of all HTTP response status codes, and within that, a section that defines Successful 2xx codes.

And within that section there’s a specific section for 200 OK, which says this:

The 200 (OK) status code indicates that the request has succeeded.
The payload sent in a 200 response depends on the request method.
For the methods defined by this specification, the intended meaning
of the payload can be summarized as:
…
OPTIONS  a representation of the communications options;

So a response to a CORS preflight OPTIONS just needs to be:

That’s what 200 OK is defined by the HTTP spec to be, so you can stop right there.

But if you read through the rest of the 2xx codes in that section, you can confirm the semantics of none of them make sense for an OPTIONS response—except for 204 No Content.

Now as far as 204 No Content goes, there’s nothing wrong with using it for OPTIONS responses—but there’s also not really any point. That’s because:

  • unlike for some other methods, the HTTP spec defines no use for an OPTIONS payload
  • therefore in practice, clients don’t expect any payload (content) to come back for an OPTIONS (and wouldn’t do anything with any payload that did come back)

…so there’s no practical purpose in using a specific 204 status code in an OPTIONS response to explicitly tell clients there’s no payload.

Should the status code be different in case origin is allowed (and corresponding headers will be set) or not allowed (and CORS headers will not be set or will not match the origin)?

No. There’s no standard-defined code other than 200 or 204 you could use anyway—but regardless of that, the specs don’t require it to be any different and don’t define any different use if it is. And think about it: What is any existing client code going to do any differently due to any difference in the status codes for those two cases?

If the answer to that is, “Nothing”, then there’s no point in making it different.


Given all the above, the bottom line is: just send 200 OK for CORS preflight OPTIONS responses. Sending any code other than just 200 OK isn’t necessary or useful.

Paulie answered 3/9, 2017 at 23:19 Comment(2)
204 NO CONTENT seems appropriate here. Why not use that?Philbrick
@blz In their answer, Mihai says that Firefox rejects 204 preflight responses. I am not sure about Firefox, but for example this page says: "some legacy browsers (IE11, various SmartTVs) choke on 204".Withy
P
17

I used 204. Now it's not working cross-browser anymore. Use 200. Firefox started rejecting CORS requests if 204 is received in the preflight. It wasted me almost 2 hours debugging it.

Lesson to learn: When in doubt about web standards don't choose what makes sense spec wise(i.e. 204 for no content)...choose what most people do(the easy/stupid choice)

Perception answered 11/11, 2019 at 0:34 Comment(2)
I just lost a morning to this, debugging code that I had written using the previous answer above that recommends 204. I wonder how many developer hours were lost over this nitpicky change.Rosarosabel
@Perception do you have a context on why 204 in OPTIONS would mess up a GET request? It seems like an issue with a couple of browsers/os/device unique combination.Vapory
G
-1

I am using basic auth passed through headers from an AJAX call and both Firefox and Chrome are using 204 for (preflight/options).

FireFox Network panel

enter image description here

Gabler answered 20/6, 2022 at 14:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.