Non preflight requests from unknown origins should not be rejected

[Deleted user]

in https://github.com/lomigmegard/akka-http-cors/blob/master/akka-http-cors/src/main/scala/ch/megard/akka/http/cors/CorsDirectives.scala#L126

Non preflight request is being rejected because it came from an unknown origin

correct behaviour: Non preflight requests from unknown origins should not be rejected

[lomigmegard]

Hi @ahmedhamdy88 ,

This is an interesting point you made. I read again the W3C specs, regarding the origin (for both actual and pre-flight requests):

If the value of the Origin header is not a case-sensitive match for any of the values in list of origins do not set any additional headers and terminate this set of steps. §6.1.2 and §6.2.2

I am not sure how to interpret this sentence? Should we stop the complete request handling or just the "cors part"?

I looked at other implementations and it seems these projects are also rejecting the request:

1. The Cors filter from Dzhuvinov Software rejects the request with a 403 Forbidden.
2. The Cors filter from eBay rejects the request with a 403 Forbidden as shown in the CORS Flow Chart.
3. The Mozilla Server-Side Access Control documentation has examples showing requests being rejected with a 403 Forbidden.

Do you have any other sources showing the opposite behaviour? Especially in the case of actual request, for which it is very unclear.