CODEWITHSUNDEEP
xmlhttprequestcross-domain
Amir
Amir

Reputation: 1259

Cross Origin 4xx errors response is blocked

I'm doing a cross origin request using XMLHttpRequest level2. The problem is if the server returns an error code, like 409 the browser doesn't allow me to access the response text that the server is returning. So if the server returns 409 with the message: "you are not allowed to do that again" i only get the 409 on the client side but the xhr.responseText is empty...

is this a part of the specification or i'm missing a header or something?

Upvotes: 1

Views: 903

Answers (2)

Peter Lubbers
Peter Lubbers

Reputation: 959

To add to what monsur said, the spec is not entirely clear on this particular use case, but if you take a look at section 7.3. Dealing with the Cross-Origin Request Status, it instructs implementors to "ensure not the reveal any further information about the request" for various errors. Although this may seem over-conservative, you could also argue that this is a good/secure best practice. See: http://www.w3.org/TR/cors/#cors-api-specification-response

Upvotes: 2

monsur
monsur

Reputation: 47937

I believe this is a result of over-conservative browser implementation of CORS. I've even noticed in Safari that the statusCode is 0 when an error is thrown, rather than the actual HTTP status. I don't think there's anything you can do until browsers polish up the onError case. If you have control of the server, you could always return HTTP status 200, and then put the error code in the body. JSON-RPC (http://json-rpc.org/) does this, if you want to use something more standard.

Upvotes: 2

Related Questions