CORS testing #9
Labels
bug
Something isn't working
Comments
|
I'll deal with the bug aspect of this first, and the additional feature around Access-Control-Expose-Headers could always be added on later. I hadn't clocked that many of these headers are only returned for OPTIONS and not additionally the actual methods that you may be pre-flighting in advance of. I'll remove the extended checks for all but OPTIONS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I don't think the
validate_CORStesting implemented by GenericTest is correct. (Interestingly this seemingly only bites me in IS0402 for the Registration API "Registration API rejects an invalid X resource with a 400 HTTP code" tests, because most of the other tests don't usecheck_response.)I think this is largely down to the test being based on the flawed description of CORS in the APIs: Server Side Implementation Notes.
For example, I think Access-Control-Allow-Headers should only be used in the response to a CORS preflight (OPTIONS) request.
On the other hand, the response to a GET request should have the Access-Control-Expose-Headers header, e.g. for Content-Length.
The text was updated successfully, but these errors were encountered: