How to handle an invalid CORS preflight request?
Suppose a CORS preflight request comes in, but it specifies an unsupported value for one or more Access-Control-Request-* headers. How should the server communicate this back to the browser?
Some examples:
- The browser sends a preflight request with
Access-Control-Request-Method: PUT, but the server doesn't allow PUT requests for the specified resource. - The browser sends a preflight request with
Access-Control-Request-Headers: X-PINGOTHER, but the server doesn't allow/understand that header.
The only clue I could find was located in the W3C documentation, which indicates that the server should "terminate this request" if there is a problem with the preflighted response, but I'm not sure what that looks like in practice (is the server really supposed to terminate the connection without sending back a response??).
Or, does the server not need to bother with validation at all, since the browser will know it did something wrong just by checking the Access-Control-Allow-* response headers?
Answer
Tomcat's CORS Filter returns a 403 response when an invalid CORS preflight request is received:
If request is invalid, or is not permitted, then request is rejected with HTTP status code 403 (Forbidden). A flowchart that demonstrates request processing by this filter is available.
Granted, the documentation doesn't explain why it does this, but at least it serves as a starting point.