You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't think the validate_CORS testing implemented by GenericTest is correct. (Interestingly this seemingly only bites me in IS0402 for the Registration API "Registration API rejects an invalid X resource with a 400 HTTP code" tests, because most of the other tests don't use check_response.)
I'll deal with the bug aspect of this first, and the additional feature around Access-Control-Expose-Headers could always be added on later. I hadn't clocked that many of these headers are only returned for OPTIONS and not additionally the actual methods that you may be pre-flighting in advance of. I'll remove the extended checks for all but OPTIONS.
I don't think the
validate_CORS
testing implemented by GenericTest is correct. (Interestingly this seemingly only bites me in IS0402 for the Registration API "Registration API rejects an invalid X resource with a 400 HTTP code" tests, because most of the other tests don't usecheck_response
.)I think this is largely down to the test being based on the flawed description of CORS in the APIs: Server Side Implementation Notes.
For example, I think Access-Control-Allow-Headers should only be used in the response to a CORS preflight (OPTIONS) request.
On the other hand, the response to a GET request should have the Access-Control-Expose-Headers header, e.g. for Content-Length.
The text was updated successfully, but these errors were encountered: