Skip to content

Commit

Permalink
Added check if Access-Control-Request-Method is empty or missing.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mattiasgrenfeldt @empijei
mattiasgrenfeldt authored and empijei committed Sep 9, 2020
1 parent 4d0042a commit 2e56833
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
2 changes: 1 addition & 1 deletion safehttp/plugins/cors/cors.go
View file
Expand Up @@ -139,7 +139,7 @@ func (it *Interceptor) Before(w *safehttp.ResponseWriter, r *safehttp.IncomingRe
func (it *Interceptor) preflight(setHeaders func(), w *safehttp.ResponseWriter, r *safehttp.IncomingRequest) safehttp.Result {
rh := r.Header
method := rh.Get("Access-Control-Request-Method")
if disallowedMethods[method] {
if method == "" || disallowedMethods[method] {
return w.ClientError(safehttp.StatusForbidden)
}
wh := w.Header()
Expand Down
1 change: 1 addition & 0 deletions safehttp/plugins/cors/cors_test.go
View file
Expand Up @@ -500,6 +500,7 @@ func TestInvalidAccessControlRequestMethod(t *testing.T) {
safehttp.MethodGet,
safehttp.MethodHead,
safehttp.MethodPost,
"",
}

for _, m := range methods {
Expand Down

0 comments on commit 2e56833

Please sign in to comment.