Commits on Jun 3, 2021

1. Drop Origin & Accept from Access-Control-Allow-Headers value …

   This change drops the Origin and Accept header names from the value of the
   Access-Control-Allow-Headers response header sent by Synapse. Per the CORS
   protocol, it’s not necessary or useful to include those header names.
   
   Details:
   
   Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin
   is a “forbidden header name” set by the browser and that frontend
   JavaScript code is never allowed to set.
   
   So the value of Access-Control-Allow-Headers isn’t relevant to Origin or
   in general to other headers set by the browser itself — the browser
   never ever consults the Access-Control-Allow-Headers value to confirm
   that it’s OK for the request to include an Origin header.
   
   And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
   Accept is a “CORS-safelisted request-header”, which means that browsers
   allow requests to contain the Accept header regardless of whether the
   Access-Control-Allow-Headers value contains "Accept".
   
   So it’s unnecessary for the Access-Control-Allow-Headers to explicitly
   include Accept. Browsers will not perform a CORS preflight for requests
   containing an Accept request header.
   
   Related: matrix-org/matrix-spec-proposals#3225
   
   Signed-off-by: Michael[tm] Smith <[email protected]>

   

   sideshowbarker committed Jun 3, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 253ba00
   • Browse repository at this point

   Copy the full SHA

   253ba00 View commit details

   Browse the repository at this point in the history

2. Add changelog.d/10114.misc

   

   sideshowbarker committed Jun 3, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for af222a1
   • Browse repository at this point

   Copy the full SHA

   af222a1 View commit details

   Browse the repository at this point in the history