odd access-control-request-headers behavior

Question

odd access-control-request-headers behavior

buhman opened this issue 7 years ago · 1 comments

If a browser adds an Access-Control-Request-Headers with a non-allowed header, the preflight response is missing all cors headers. This behavior was a bit surprising/confusing.

Sample request:

OPTIONS /api/urls HTTP/1.1
Host: localhost:4000
User-Agent: curl/7.56.0
Accept: */*
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Origin: http://foo.com

Sample response:

HTTP/1.1 200 OK
server: Cowboy
date: Mon, 23 Oct 2017 01:28:29 GMT
content-length: 0
cache-control: max-age=0, private, must-revalidate
x-request-id: ljj0mkelhqivq73msmg4768v6ahq1gjf

Expected response:

HTTP/1.1 200 OK
server: Cowboy
date: Mon, 23 Oct 2017 01:28:10 GMT
content-length: 0
cache-control: max-age=0, private, must-revalidate
x-request-id: cctc2p5nr252g6aurrsrch93sfe0er6s
access-control-allow-origin: *
access-control-allow-methods: HEAD, GET, POST, PUT, PATCH, DELETE
access-control-allow-headers:

Answer 1 · 2017-10-23T02:12:01.000Z

If any of the header field-names is not a ASCII case-insensitive match for any of the values in list of headers do not set any additional headers and terminate this set of steps.

Ok.