Proposal: Support OPTIONS requests

Question

Proposal: Support OPTIONS requests

Opened this issue 6 years ago · 1 comments

I'd like to discuss adding the possibility to handle OPTIONS requests as well in the handler.

This would allow to handle CORS requests that initiate a Preflight request.

The handler could then act depending on the request method, as shown in the following example:

class Handler
  def run(body, headers)
    if headers['REQUEST_METHOD'] == 'OPTIONS'
      return [
        [],
        {
          'Allow' => 'POST, GET, OPTIONS',
          'Access-Control-Allow-Methods' => 'POST, GET, OPTIONS',
          'Access-Control-Allow-Origin' => '*',
          'Access-Control-Allow-Headers' => 'Accept'
        }
      ]
    end

    # ....
end

The change is backwards compatible, we'd only have to add one more route to sinatra.

We could also discuss to allow all available request methods.

Answer 1 · 2019-10-15T09:51:42.000Z

This seems reasonable to me. One thing to note about origins, setting Access-Control-Allow-Origin to * only works for requests without credentials. This is documented here https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Access-Control-Allow-Origin although it doesn't really highlight the consequences well.

For APIs where you want to support sending credentials to the function, this will not work. You need to specify the request Host as the Origin in that case.