-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cors should use pre-matching request check #11097
base: 4.7.x
Are you sure you want to change the base?
Conversation
return Optional.of(HttpStatus.FORBIDDEN); | ||
if (hasAllowedHeaders(request, config)) { | ||
List<UriRouteMatch<Object, Object>> anyUriRoutes = router.findAny(request); | ||
if (anyUriRoutes.isEmpty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how it worked before, but I think that's not correct. methodToMatchOptional
is OPTIONS for preflight check and there is no such method in mocked tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
methodToMatchOptional can be not OPTIONS if there's a Access-Control-Request-Method header
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldt'n we fail OPTIONS call if there is no route present under that path?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, in that case the preflight should return a good response and the actual cors request should return the 404. This will allow the cors client to see that the route is missing. Otherwise it will just get a permission error
seems to be failing? |
|
||
then: | ||
HttpStatus.OK == response.status() | ||
HttpStatus.FORBIDDEN == response.status() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No description provided.