Corsica does reject origins that are not allowed, only logs a warning
DevonPeroutky opened this issue · 2 comments
Expected Behavior
When a request comes in from an origin not specified in origins:, the Corsica.Router rejects the request with a 403 (or another error code)
Actual Behavior
I see the following log
[warn] Simple CORS request from Origin "file://peak-electron-app" is not allowed
And then the request executes successfully
My code:
defmodule MyApp.CORS do
use Corsica.Router,
origins: [
"http://localhost:3001",
"http://localhost:3000",
"http://localhost:5000",
"https://peak-app-server.onrender.com",
# "file://peak-electron-app",
],
allow_credentials: true,
allow_headers: ["accept", "content-type", "x-requested-with"],
allow_methods: :all,
log: [rejected: :warn, invalid: :warn, accepted: :info]
# TODO: Fix this
resource "/*"
end
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
plug MyApp.CORS
...
plug Plug.MethodOverride
plug Plug.Head
plug Plug.Session, @session_options
plug MyAppWeb.Router
end
As far as I understand, I believe the MyApp.CORS plug is the very first plug executed (but I'm an Elixir/Phoenix noob) so maybe there's something I'm not aware of. Is there something I misconfigured? Or are my expectations of the Plug/Router off?
Hey @DevonPeroutky , do you have an example of an HTTP request that should be but is not rejected by the router you posted here?
So it turns out that this was entirely my fault. I was making the request from within an Electron app and forgot I had configured webSecurity: false, which disables CORS.
Thanks @whatyouhide for the quick response, sorry for the false alarm.