CORS route-specific override can conflict with connection defaults #2840

hueniverse · 2015-10-14T08:38:36Z

If the connection has CORS enabled but one route has it off, and the route is not GET, the OPTIONS prefetch request will return the default CORS headers and then the actual request will go through and return no CORS headers. This defeats the purpose of turning CORS on the route.

Also, try to automate Access-Control-Allow-Methods

hueniverse added bug Bug or defect security Issue with security impact labels Oct 14, 2015

hueniverse added a commit that referenced this issue Oct 14, 2015

Prep for #2840

f36ff76

hueniverse self-assigned this Oct 14, 2015

hueniverse added a commit that referenced this issue Oct 15, 2015

Refactor cors. For #2840

cb933e1

hueniverse added a commit that referenced this issue Oct 15, 2015

Move cors tests. For #2840

8358da1

hueniverse added a commit that referenced this issue Oct 16, 2015

Partial implementation for #2840

c93454c

hueniverse closed this as completed in cece789 Oct 16, 2015

hueniverse added this to the 10.5.1 milestone Oct 16, 2015

hueniverse added the breaking changes Change that can breaking existing code label Oct 16, 2015

Wardormeur mentioned this issue Feb 3, 2017

HapiJs CORS doesn't respect pre-flight for route-based conf CoderDojo/community-platform#1144

Closed

lock bot locked as resolved and limited conversation to collaborators Jan 10, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CORS route-specific override can conflict with connection defaults #2840

CORS route-specific override can conflict with connection defaults #2840

hueniverse commented Oct 14, 2015

CORS route-specific override can conflict with connection defaults #2840

CORS route-specific override can conflict with connection defaults #2840

Comments

hueniverse commented Oct 14, 2015