New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Normalize allowed request headers and store them in a sorted set (fixes #170) #171
Conversation
As a bonus, this PR obsoletes #133. |
It's a larger change than I expected. I have it in my TODO. |
I've reduced the size of the malicious ACRH header in the benchmark. No need for it to be long to show that my PR fixes the issue. |
I can't find where in the CORS spec, it is required that the values listed in ACRH are sorted in lexicographical order. Can you please point me to where it is defined? |
Ok I see it in the fetch spec as pointed out in the comment and validated current browser are following this recommendation. |
Thanks fir PR. Great implementation. |
Proposed solution to issue #170
The Fetch standard provides several guarantees that we can take advantage of:
Access-Control-Request-Headers
header (called ACRH below);Therefore,
This is the approach I adopted in jub0bs/cors. 😇
Benchmarks
Here's a benchmark comparison between old (commit ad0e722) and new:
Looks like a net win: