-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS handling without headers #702
Comments
Hmmm could you please elaborate on specific wording on what spec says about existence of this header? If it doesn't say SHOULD or MUST then I guess it might be worth considering treating it as such or having option to allow missing header |
There is a link in the original issue, I'll add it again here to that you can judge for yourself |
For some reason I cannot access it from my office, I'll check it after work |
There you go
Also the raw version is available at https://github.com/whatwg/fetch/blob/master/fetch.bs#L2410 |
Hm... from this alone I'm bit unsure if it is allowed to omit this header. From the quote itself it seems that it should include these headers MDN says:
The question is how should we treat missing header? |
I think the language in the fetch specs could be clearer, especially since they use To me the fact that Firefox does not send that header in some cases is reason enough make it optional and map that to the same behavior that you would have if the header were present and with an empty value, i.e. no headers allowed in the next request. |
This is not really all that straightforward to me. IF it is firefox, it doesn't mean that it 100% correct. |
While the specification is not very specific; if a user wishes to make a request without any additional headers,
This means the header must have at least one This infact is how every other major implementation I know of does it. Also, the current implementation incorrectly allows PR in the works to resolve this. |
fixed by #816 |
When sending a preflighted cross-origin request, the leading
OPTIONS
request is expected to have theAccess-Control-Request-Headers
header set.The specs are a bit ambiguous about whether or not the header is mandatory.
The
CORS
Middleware in actix-web is expecting the header to always be set, but I found that at least Firefox is not setting that header in theOPTIONS
request if the following request doesn't contain any header.I can temporarily circumvent this by setting a dummy custom header to force Firefox to set
Access-Control-Request-Headers
, or by disabling the preflight handling on actix's side and implementing that manually, but I think it should be handled differently in the Middleware itself.The text was updated successfully, but these errors were encountered: