allows head requests to return 200 instead of 403 #13100
Conversation
🦋 Changeset detectedLatest commit: 6e926f5 The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
github-actions
bot
added
the
pkg: astro
CodSpeed Performance ReportMerging #13100 will not alter performanceComparing Summary
|
| @@ -25,7 +25,7 @@ export function createOriginCheckMiddleware(): MiddlewareHandler { | |||
| if (isPrerendered) { | |||
| return next(); | |||
| } | |||
| if (request.method === 'GET') { | |||
| if (request.method === 'GET' || request.method === "HEAD") { | |||
There was a problem hiding this comment.
| if (request.method === 'GET' || request.method === "HEAD") { | |
| if (request.method === 'GET' || request.method === 'HEAD' || request.method === 'OPTIONS' || request.method === 'TRACE') { |
There are 2 more safe request methods that should be added as exemptions besides GET and HEAD: OPTIONS and TRACE.
Maybe one should add centralized functions to define safe and unsafe functions/properties on request? So one can do:
if (request.isSafe) { ... }
and reduce scope for making the same mistake in multiple places?
See source for definition of safe methods: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods#safe_idempotent_and_cacheable_request_methods
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
I believe may @corneliusroemer may have a better solution here #13101 |
Changes
fixes this issue #13079 by checking if the request method is "HEAD" it allows it to continue with the middleware and not return a 403
I don't believe the docs should need to be updated