Comments (4)
cyu
commented on July 23, 2024
The CORS spec doesn't specify what the response code should be: http://www.w3.org/TR/cors/#resource-preflight-requests
Having said that, returning 204 does make sense, but doing quick search let me to this bug report in Firefox:
https://bugzilla.mozilla.org/show_bug.cgi?id=845881#c4
The comment suggests that returning anything but a 200 is against spec, but I can't seem to find anything in the official spec that confirms that. But reading this issue makes me reluctant to change anything until I can find something official about it.
Regarding the two OPTIONS requests: the first one is not considered a Preflight request (since Access-Control-Request-Method isn't present), and passes the request through to your Rails app which is returning a 204. The second request is a valid Preflight request, which the middleware will process and return without passing the request through to Rails.
As for GitHub's behavior, it is against spec. From the spec:
If there is no Access-Control-Request-Method header or if parsing failed, do not set any additional headers and terminate this set of steps. The request is outside the scope of this specification.
You can read the whole Preflight process here: http://www.w3.org/TR/cors/#resource-preflight-requests. I can only imagine that GitHub does this because it is easy - they probably use a directive at the web server level that just returns that header no matter what.
I have thought about making this optional behavior, but for the sake of keeping the middleware simple I think it should stick to the spec as much as possible. If there's something in the spec that covers these two cases (204 status codes and GitHub's default headers), I'll gladly incorporate them.
from rack-cors.
monfresh
commented on July 23, 2024
That makes sense, thanks!
While The CORS spec doesn't mention a specific response code, it does explicitly allow any code in the 2xx range.
The Firefox bug you linked to has been fixed, and reading through the comments I get the impression that the final consensus is that 204 is an acceptable, and better code than 200. It was originally against the Firefox spec, not the CORS spec.
I would vote for making Rack::Cors send a 204 instead of a 200 for preflight requests.
from rack-cors.
cyu
commented on July 23, 2024
Ok, that looks good to me. Yes, I agree that 204 is more appropriate in this case.
from rack-cors.
cyu
commented on July 23, 2024
Closing this issue and leaving the response status code as 200 since the spec isn't clear. It isn't worth breaking existing behavior.
from rack-cors.
Related Issues (20)
- Support for Timing-Allow-Origin HOT 5
- Tag for v2.0.0 is missing HOT 3
- Does not work with Rack 3.0.0 HOT 1
- My CORS setup blocks bad urls but not POSTMAN requests HOT 3
- Vulnerabilities in included mocha.js HOT 1
- Stripe api with Cloud9 setup
- Is there any CI? HOT 1
- Cookie session related middleware interferes HOT 3
- Remove/Replace Rack::Utils::HeaderHash HOT 7
- delete the confusing `2.0.0` tag since `v2.0.0` exists? HOT 1
- issue comeback duplicate headers because of header name case HOT 3
- Release version 2.0.1 HOT 2
- How to add Access-Control-Allow-Private-Network header in Option response?
- Why is Rails.application.config.hosts required? HOT 1
- Regex origin woes HOT 2
- Upgrade to rails 7.1.1
- Ressource with $ are not handled as expected
- Access-Control-Allow-Origin is returned only if correct Origin header is available
- Documentation for the frame-ancestors directive?
- [SECURITY] CVE-2024-27456 - Insecure File Permissions in rack-cors v2.0.1 HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack-cors.