Astro seems to handle HTTP OPTIONS requests incorrectly for SSR pages

[corneliusroemer]

Astro Info

N/A

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

astro seems to handle OPTIONS requests incorrectly by not responding with the correct headers and sending the same response as if one had sent a GET request. The HTTP spec (RFC9110) says:

A server generating a successful response to OPTIONS SHOULD send any header that might indicate optional features implemented by the server and applicable to the target resource (e.g., Allow), including potential extensions not defined by this specification. The response content, if any, might also describe the communication options in a machine or human-readable representation. A standard format for such a representation is not defined by this specification, but might be defined by future extensions to HTTP.

What's the expected result?

$ curl -X OPTIONS -i localhost:4321 \
  -H "Origin: https://example.com" \
  -H "Access-Control-Request-Method: POST"
HTTP/2 204
access-control-allow-methods: OPTIONS, GET, HEAD
access-control-allow-origin: *

What actually happened:

curl localhost:4321 \
   -X OPTIONS \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: content-type" \
   -H "Origin: https://reqbin.com" -i
HTTP/1.1 403 Forbidden
content-type: text/plain;charset=UTF-8
Date: Thu, 30 Jan 2025 23:33:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Cross-site OPTIONS form submissions are forbidden%

This is the result of related to bug #13079 which will be fixed by #13101

But even with #13000 the result is wrong:

curl localhost:4321 \
   -X OPTIONS \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: content-type" \
   -H "Origin: https://reqbin.com" -i
HTTP/1.1 200 OK
content-type: text/html
Date: Thu, 30 Jan 2025 23:32:17 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

<!DOCTYPE html><html lang="en" data-astro-cid-j7pv25f6> <head><title>Online Store</title><style>@import"https://fonts.googleapis.com/css2?family=Lobster&display=swap";span[data-astro-cid-uctnmiwz]{text-decoration:underline}.cart.svelte-tyuvb9{display:flex;align-items:center;text-decoration:none;color:inherit}.cart.svelte-tyuvb9 :where(.svelte-tyuvb9):first-child{margin-right:5px}.cart-icon.svelte-tyuvb9{font-size:36px}.count.svelte-tyuvb9{font-size:24px}header[data-astro-cid-3ef6ksr2]{margin:1rem 2rem;display:flex;justify-content:space-between}h1[data-astro-cid-3ef6ksr2]{margin:0;font-family:Lobster,cursive;color:#000}a[data-astro-cid-3ef6ksr2],a[data-astro-cid-3ef6ksr2]:visited{color:inherit;text-decoration:none}.right-pane[data-astro-cid-3ef6ksr2]{display:flex}.material-icons[data-astro-cid-3ef6ksr2]{font-size:36px;margin-right:1rem}.container[data-astro-cid-d6puh33w]
...

Note that prerendered pages result in the correct response:

curl localhost:4321 \
   -X OPTIONS \
   -H "Access-Control-Request-Method: POST" \
   -H "Access-Control-Request-Headers: content-type" \
   -H "Origin: https://reqbin.com" -i
HTTP/1.1 204 No Content
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Headers: content-type
Content-Length: 0
Date: Thu, 30 Jan 2025 23:35:12 GMT
Connection: keep-alive
Keep-Alive: timeout=5

Link to Minimal Reproducible Example

N/A

Participation

• I am willing to submit a pull request for this issue.