labrinth icon indicating copy to clipboard operation
labrinth copied to clipboard

Published 20 hours ago verified publisher icon modrinth

CORS header is not included when rate limited

Open ryanccn opened this issue 1 year ago • 1 comments

Describe the bug

When a client has exceeded the rate limit, the returned 429 Too Many Requests response does not include an Access-Control-Allow-Origin header, leading to the response being opaque to web applications.

Steps to reproduce

  1. Go over the rate limit
  2. Fetch any API route with the Origin header

Expected behavior

The CORS header should be included even on rate limited responses so that client applications can read the response.

Additional context

No response

ryanccn avatar Feb 01 '24 13:02 ryanccn