OPTIONS request authentication

Question

I am developing a web application. It is using Basic authentication. It must process OPTIONS requests. These are web browser preflight requests as well as feature-support requests from WebDAV clients.

As far as I understand OPTIONS request must be processed without requesting authentication (that is my server should not respond with 401 Unauthorized), it must give the response such as the following:

OPTIONS https://localhost:44305/path/file.ext HTTP/1.1
Connection: Keep-Alive
User-Agent: some app
Host: localhost:44305

HTTP/1.1 200 OK
Content-Length: 0
DAV: 1, 2, 3
Date: Fri, 27 Dec 2013 17:10:21 GMT

My question is: Should I always provide the same response to OPTIONS request, regardless of the URL or should it depend on the URL.

For example if the file.ext in the above example is not found, should I respond with '404 Not found' or with '200 OK'?

Answer 1

from http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html:

The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

So OPTIONS might be specific to the server or might be specific to a resource, it depends on your application. If you use cross-origin resource sharing (CORS, e.g. trying an XMLHttpRequest to another server) it will send an OPTIONS request to check if the server expects cross-origin requests for the specific resource before following with a POST request. So in this case OPTIONS should behave resource-specific. For WebDAV a server-specific OPTIONS might be enough because the client does it only to check the allowed methods (e.g. if WebDAV methods are supported).