api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon IIIF

OPTIONS on info.json MUST NOT redirect

Open azaroth42 opened this issue 7 years ago • 3 comments

As it's a preflight request for XHR, while the following GET can redirect, the OPTIONS must return 200. This is somewhat contrary to section 3.2 of the Auth API:

When a Description Resource is requested and the user is not authorized to access it and there are lower tiers available, the server MUST issue a 302 (Found) HTTP status response to redirect to the Description Resource of a lower tier.

This could be clarified that the "requested" is via GET but OPTIONS must still do 200. (Auth 1.0.1?)

azaroth42 avatar May 26 '17 16:05 azaroth42

Side note: OPTIONS should also not return a response body for info.json, so the correct server response would be a 204 not a 200.

christopher-johnson avatar Oct 23 '18 23:10 christopher-johnson

This StackOverflow discussion has useful info on 200 / 204 for OPTIONS:

https://stackoverflow.com/questions/46026409/what-are-proper-status-codes-for-cors-preflight-requests/46028619

tomcrane avatar Mar 01 '22 13:03 tomcrane

Fixed in https://github.com/IIIF/api/pull/2115

Commit: https://github.com/IIIF/api/pull/2115/commits/2e0984b8f42c9750ae2f6ec4bdd51900de350547

tomcrane avatar Mar 28 '22 14:03 tomcrane

Resolved with publication of Auth 2.0 https://iiif.io/api/auth/2.0/ . With the introduction of the probe service we are no longer directly using HTTP response codes as the means to understand access status. There is no longer a need to point out issues with OPTIONS

zimeon avatar Jun 07 '23 08:06 zimeon