-
Notifications
You must be signed in to change notification settings - Fork 438
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Isso Forces CORS Preflight but is unable to handle CORS Preflight requests #347
Comments
Isso answers to CORS preflight requests: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L122. Do you have a web proxy in use with Isso? |
I believe I do have a web proxy in use as well, currently using Nginx. |
Please try without nginx for Isso and directly use Isso. |
Okay, I can see an exception on my services...
|
Hello, I'm encountered this error also.
And I updated my nginx file like below can solve this problem
|
Hi, you can fix it running:
Related: #297 |
I believe the issue might have been introduced by this commit: 0377c8b It seems to remove the 200 response from the options request. Still blank in the current version: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L148 |
My ...
from werkzeug.wrappers import Response
...
if environ.get("REQUEST_METHOD") == "OPTIONS":
#add_cors_headers(b"200 Ok", [("Content-Type", "text/plain")])
#return []
response = Response("Ok")
return response(environ, add_cors_headers) I don't remember where the replacement code comes from. It works from behind Nginx and the same isso instance serves two sites on different domains. |
Hello!
I am attempting to use Isso in my project, but the way I am using it I have to communicate directly with the API built into Isso. I am currently running into an issue where if I attempt to add a comment using the
/new
api endpoint, the request either will return aCSRF
error (if I omit theContent-Type
header), or a 502 error (if I attempt to call it like I do normally).The issue is that Isso does not respond to the CORS preflight request.
Normally, the workaround would be to preform a Simple Request using an
XMLHttpRequest
but if theContent-Type
header is omitted (instead of beingapplication/json
) so that the request is compliant with being a "Simple Request", Isso throws aCSRF
error since theContent-Type
header is unset.The way to fix this bug would be to respond properly to the CORS preflight request (by listening to an
OPTIONS
request being made to the/new
api endpoint), or remove the requirement of adding theContent-Type
header to allow it to be just a Simple Request.I assume many have not run into this issue, as the CORS preflight request would not be sent if the user was on the same domain as the Isso server (since it would not be Cross Origin then).
Please let me know if you need any more information!
The text was updated successfully, but these errors were encountered: