I have a document that returns content-type JSON like this:
{
"employees": [{
"firstName": "John",
"lastName": "Doe"
}, {
"firstName": "Anna",
"lastName": "Smith"
}, {
"firstName": "Peter",
"lastName": "Jones"
}]
};
Quite usual stuff.
Now I have to check if the user has permissions to retrieve the results. There may be different reasons why the user should not get any result. Maybe he is not logged in or has no permissions to access the "employees"-data.
Because the JSON is called by something Javascript-related I could just return another string like
{ "error" : "I do not know you pal!" }
or
{ "error" : "You do not have enough permissions" }
To keep the standards, a non-200 HTTP-return -code would be the right thing IMHO. So returning a 403 (or 401) Status code should be the right choice.
But now to my question (finally):
When I return a 403-status code in the header: Will my JSON-Content in the body still be delivered on ANY browser to the client? Or will some browsers discard the body when an error-header is received?
What is the recommend way to handle errors on a JSON response content-type?
Update: Let's just assume that the response is created by a REST-Api that creates a response in JSON-Format. So 4xx-Status codes should be valid. At least big players like GoogleApi. Twilio etc. use these codes)
