Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORS multi-value response headers don't work in IE #19841

Closed
abeyad opened this Issue Aug 5, 2016 · 1 comment

Comments

Projects
None yet
1 participant
@abeyad
Copy link
Contributor

abeyad commented Aug 5, 2016

As part of our improved CORS handling (#16092), we serialize the Access-Control-Allow-Headers and Access-Control-Allow-Methods response headers using Netty, which, if given a set of values, produces a response header that looks like:

Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Headers: X-Requested-With

instead of a comma-separated list in a single header value
Access-Control-Allow-Headers: Content-Type,X-Requested-With

Separating each header value out individually should be fine according to the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2, although the RFC does leave some ambiguity if such a separation does need to be supported.

It turns out Chrome is fine with this but IE is not.

@abeyad abeyad self-assigned this Aug 5, 2016

abeyad pushed a commit to abeyad/elasticsearch that referenced this issue Aug 6, 2016

Ali Beyad
Ensures that CORS preflight requests return multi-value
Access-Control-Allow-Headers and Access-Control-Allow-Methods
response headers as single headers with comma separated values,
which is closest to the RFC specification and supports browsers
like IE which do not handle separate response header lines for
each value.

Closes elastic#19841

abeyad pushed a commit to abeyad/elasticsearch that referenced this issue Aug 8, 2016

Ali Beyad
Single comma-delimited response header for multiple values
Despite the RFC permitting multi-value response headers
to appear as individual header fields instead of a
single header field with a comma delimitted value,
Internet Explorer does not deal well with this and hence,
this commit ensures that multi-value CORS response
headers are serialized as a single header field with
a comma delimitted value. This also brings the
implementation in conformity with how Netty4 handles
multi-value headers, which is the default transport
implementation for 5.x.

Closes elastic#19841

abeyad pushed a commit to abeyad/elasticsearch that referenced this issue Aug 10, 2016

Ali Beyad
Single comma-delimited response header for multiple values
Despite the RFC permitting multi-value response headers
to appear as individual header fields instead of a
single header field with a comma delimitted value,
Internet Explorer does not deal well with this and hence,
this commit ensures that multi-value CORS response
headers are serialized as a single header field with
a comma delimitted value. This also brings the
implementation in conformity with how Netty4 handles
multi-value headers, which is the default transport
implementation for 5.x.

Closes elastic#19841

abeyad pushed a commit that referenced this issue Aug 10, 2016

Ali Beyad
Single comma-delimited response header for multiple values (#19872)
Single comma-delimited response header for multiple values

Despite the RFC permitting multi-value response headers
to appear as individual header fields instead of a
single header field with a comma delimitted value,
Internet Explorer does not deal well with this and hence,
this commit ensures that multi-value CORS response
headers are serialized as a single header field with
a comma delimitted value. This also brings the
implementation in conformity with how Netty4 handles
multi-value headers, which is the default transport
implementation for 5.x.

Closes #19841
@abeyad

This comment has been minimized.

Copy link
Contributor Author

abeyad commented Aug 10, 2016

Closed by 4566378 (2.4) and 0fd150d (2.3.6)

@abeyad abeyad closed this Aug 10, 2016

@abeyad abeyad added v2.3.2 and removed v5.0.0-alpha5 v2.3.0 labels Aug 10, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.