Documentation issue about POST and content-type
johannesgerer opened this issue · 2 comments
The doc says
If the request is a POST request the content type is constraint to simple content types (application/x-www-form-urlencoded, multipart/form-data, text/plain),
yet this does not seem to be enforced.
What do you mean with "is not enforced"? The middleware only returns errors status if the CORS protocol itself is violated. The CORS middleware does not enforce any any CORS policy. It only provides the client (browser) with the required information to do enforcement. If additional server side restrictions are required for the resource, the application that serves the resources would have to do this.
Do you think that this issue is about the former (incorrect implementation of the CORS protocol)? That would indeed be a bug.
(One consider providing a middleware that implements server side restriction for the resource that are implied by the CORS policy, but that's (currently) beyond the scope of this package.)
When I say enforced, I mean this constraining to simple content types which is mentioned in the docs is not performed in the code, simpleCorsResourcePolicy does not do what is promised in the docs.
You can also follow the code in the opposite direction: simpleContentTypes is only used in isSimple which is turn is not used anywhere. So you clearly intended do to something, but the code falls short of actually doing it...