Drop Origin & Accept from Access-Control-Allow-Headers value #3225
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
sounds plausible to me. For the record, this was added in #1365, based on Synapse's implementation. The presence of However, I'm going to leave this for a review from someone who knows more about CORS headers than me. We should also ask ourselves whether this requires an MSC, but given it's just a recommendation, my inclination is to say not. @sideshowbarker: do you know if this change has been implemented in any server implementations? I'd be happy to see a PR for Synapse. |
sideshowbarker
added a commit
to sideshowbarker/synapse
that referenced
this pull request
Jun 3, 2021
This change drops the Origin and Accept header names from the value of the Access-Control-Allow-Headers response header sent by Synapse. Per the CORS protocol, it’s not necessary or useful to include those header names. Details: Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: matrix-org/matrix-spec-proposals#3225 Signed-off-by: Michael[tm] Smith <mike@w3.org>
It’s not been — I started just with raising it here.
OK, raised matrix-org/synapse#10114 |
This change drops the Origin and Accept header names from the recommended value for the CORS Access-Control-Allow-Headers header. Per the CORS protocol, it’s not necessary or useful to include them. Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: Related: matrix-org/synapse#10114 Signed-off-by: Michael[tm] Smith <mike@w3.org>
sideshowbarker
force-pushed
the
client-server-api-Access-Control-Allow-Headers-drop-Options-Accept
branch
from
dbd1ef7
to
2481074
Compare
|
I don't think this sort of change needs an MSC by the way: if it becomes a problem then we can MSC it, but for the time being it's a clarification-style change. |
richvdh
pushed a commit
to matrix-org/synapse
that referenced
this pull request
Jun 23, 2021
* Drop Origin & Accept from Access-Control-Allow-Headers value This change drops the Origin and Accept header names from the value of the Access-Control-Allow-Headers response header sent by Synapse. Per the CORS protocol, it’s not necessary or useful to include those header names. Details: Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: matrix-org/matrix-spec-proposals#3225 Signed-off-by: Michael[tm] Smith <mike@w3.org>
richvdh
pushed a commit
that referenced
this pull request
Aug 23, 2021
…-Control-Allow-Headers-drop-Options-Accept Drop Origin & Accept from Access-Control-Allow-Headers value
richvdh
pushed a commit
that referenced
this pull request
Aug 27, 2021
…-Control-Allow-Headers-drop-Options-Accept Drop Origin & Accept from Access-Control-Allow-Headers value
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change drops the
OriginandAcceptheader names from the recommended value for the CORSAccess-Control-Allow-Headersheader. Per the CORS protocol, it’s not necessary or useful to include them.Details:
Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name,
Originis a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set.So the value of
Access-Control-Allow-Headersisn’t relevant toOriginor in general to other headers set by the browser itself — the browser never ever consults theAccess-Control-Allow-Headersvalue to confirm that it’s OK for the request to include anOriginheader.And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
Acceptis a “CORS-safelisted request-header”, which means that browsers allow requests to contain theAcceptheader regardless of whether theAccess-Control-Allow-Headersvalue contains "Accept".*So it’s unnecessary for the
Access-Control-Allow-Headersto explicitly includeAccept. Browsers will not perform a CORS preflight for requests containing anAcceptrequest header.Related: matrix-org/synapse#10114
Signed-off-by: Michael[tm] Smith
<mike@w3.org>* There is actually one edge case in which browsers won’t allow an
Acceptheader in a request: If the value contains a “CORS-unsafe request-header byte” https://fetch.spec.whatwg.org/#cors-unsafe-request-header-byte. But in that case, theAcceptheader is anyway malformed and is therefore not going to have its intended effect. So that edge case doesn’t merit includingAcceptin theAccess-Control-Allow-Headersvalue.