go-safeweb icon indicating copy to clipboard operation
go-safeweb copied to clipboard

Published 20 hours ago verified publisher icon google

Reassess the cors plugin

Open empijei opened this issue 2 years ago • 0 comments

Working with the CORS plugin has proven quite hard in my testing experience.

Installing it immediately makes all requests fail, including just simple GET requests that don't have an "Origin" header.

This is very anti-ergonomic. We should only block requests that might be using CORS, and use an InterceptorConfig to relax the protection of specific handlers.

The default behavior of the plugin should be to make an application that doesn't make use of CORS behave exactly as before, but reject all CORS requests.

Then users could relax the behavior on specific endpoints.

empijei avatar Oct 10 '22 15:10 empijei