How to handle an invalid CORS preflight request?

Question

Suppose a CORS preflight request comes in, but it specifies an unsupported value for one or more Access-Control-Request-* headers. How should the server communicate this back to the browser?

Some examples:

• The browser sends a preflight request with Access-Control-Request-Method: PUT, but the server doesn't allow PUT requests for the specified resource.
• The browser sends a preflight request with Access-Control-Request-Headers: X-PINGOTHER, but the server doesn't allow/understand that header.

The only clue I could find was located in the W3C documentation, which indicates that the server should "terminate this request" if there is a problem with the preflighted response, but I'm not sure what that looks like in practice (is the server really supposed to terminate the connection without sending back a response??).

Or, does the server not need to bother with validation at all, since the browser will know it did something wrong just by checking the Access-Control-Allow-* response headers?

Answer 1

Tomcat's CORS Filter returns a 403 response when an invalid CORS preflight request is received:

If request is invalid, or is not permitted, then request is rejected with HTTP status code 403 (Forbidden). A flowchart that demonstrates request processing by this filter is available.

Granted, the documentation doesn't explain why it does this, but at least it serves as a starting point.