wai-cors icon indicating copy to clipboard operation
wai-cors copied to clipboard

Published 20 hours ago verified publisher icon larskuhtz

simple CORS

Open 2mol opened this issue 5 years ago • 4 comments

Hi! Thanks for maintaining this package, it's very useful to me. I want to discuss the proposed change in #26.

The documentation for CorsResourcePolicy states that all simpleHeaders except for content-type are passed implicitly. If I use simpleCors, then my intention is to have Access-Control-Allow-Origin=*.

However, without content-type the preflight request (at least from Chrome and Firefox) isn't valid, and results in a 400 error.

From the documentation it's not clear to me what the intention is. Is this coming from the standard? We are referred to the w3c simple header list, which includes content-type.

However, for simpleCorsResourcePolicy it is explicitely mentioned that simple requests are not preceded by a preflight request.

So I might be confused, but I feel like adding simpleHeaders to simpleCorsResourcePolicy is the only thing that makes sense. Alternatively, what is the reason for content-type not being implicitely included in corsRequestHeaders?

2mol avatar Oct 13 '19 08:10 2mol

Unlike other simple headers, Content-Type is a simple header only for certain values:

A header is said to be a simple header if the header field name is an ASCII case-insensitive match for Accept, Accept-Language, or Content-Language or if it is an ASCII case-insensitive match for Content-Type and the header field value media type (excluding parameters) is an ASCII case-insensitive match for application/x-www-form-urlencoded, multipart/form-data, or text/plain.

This has consequences for the resource processing model. I am concerned that by explicitly adding the simple headers may lift this restriction. But I am not sure. Anybody who wants to take a deeper dive into the standard with regard to this is welcome.

larskuhtz avatar Mar 29 '20 18:03 larskuhtz

How about providing another value that would fit the very frequent use-case of supporting:

  • OPTIONS method (used in the preflight request in many cases)
  • ["Content-Type", "Authorization"] headers
-- Somehting like that maybe ?
-- | A preset version of cors with added OPTIONS method and Content-Type, Authorization headers
apiCors = simpleCorsResourcePolicy{
      corsOrigins = Nothing,
      corsMethods = simpleMethods <> ["OPTIONS"],
      corsRequestHeaders = simpleHeaders <> ["Content-Type", "Authorization"]
      }

Maybe "Authorization" is not frequent enough to justify this, but OPTIONS and Content-Type clearly are. As far as security is concerned, it can simply be stated that this is not a simpleCors policy anymore in the doc ?

theobat avatar Jun 11 '20 17:06 theobat

Just got bitten by this, providing a more permissive value out of the box would definitely help !

kamek-pf avatar Dec 19 '20 01:12 kamek-pf

A documentation issue I think: The docs for simpleCorsResourcePolicy suggest that content-type is included, but it is clearly not.

I struggled to find the problem because Chrome was not showing me the body of the 400 response. I had to use Wireshark to pick up the body, and then the error message made things obvious.

goertzenator avatar Nov 22 '23 21:11 goertzenator