You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After sending and validating the preflight request when sending a CORS request, before validating the CORS for the actual request, the headers present in the preflight response are merged into the actual request response.
Checking the history of this code, this behavior was introduced when the preflight implementation didn't validate the CORS for the preflight request, and made a single combined check for the headers of both responses.
This doesn't follow the W3C recommendations (https://www.w3.org/TR/cors/#preflight-request), and it introduces errors, like when the called API return a different value for Access-Control-Allow-Origin between the preflight and the actual response.
The text was updated successfully, but these errors were encountered:
Basic info:
Description
After sending and validating the preflight request when sending a CORS request, before validating the CORS for the actual request, the headers present in the preflight response are merged into the actual request response.
Checking the history of this code, this behavior was introduced when the preflight implementation didn't validate the CORS for the preflight request, and made a single combined check for the headers of both responses.
This doesn't follow the W3C recommendations (https://www.w3.org/TR/cors/#preflight-request), and it introduces errors, like when the called API return a different value for Access-Control-Allow-Origin between the preflight and the actual response.
The text was updated successfully, but these errors were encountered: