Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HEAD to CORS ALL_METHODS list #3

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Conversation

jcwilson
Copy link
Owner

@jcwilson jcwilson commented Nov 26, 2020

The HEAD method is conspicuously absent from the allowed methods list when allow_methods="*" is used.
This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted from the browser, but it
does prevent the actual cross-origin HEAD response from being read by the calling app.
This can catch people off-guard.

This PR simply adds HEAD to the ALL_METHODS list in the CORS middleware module and includes some
additional tests to validate the new behavior.

The HEAD method is conspicuously absent from the allowed methods list when `allow_methods="*"` is
used. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the
browser, but it does prevent the actual cross-origin HEAD response from being read by the calling
app.
[This can catch people off-guard.](https://discuss.encode.io/t/for-cors-middleware-why-is-head-not-included-in-all-methods/939)

This simply adds HEAD to the `ALL_METHODS` list in the CORS middleware module and includes some
additional tests to validate the new behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants