cors_plug icon indicating copy to clipboard operation
cors_plug copied to clipboard

Published 20 hours ago verified publisher icon mschae

Origin validation on OPTIONS

Open slashmili opened this issue 7 years ago • 3 comments

Do you think if it's necessary to do check the request's origin against the configuration on OPTIONS request?

slashmili avatar Oct 22 '18 04:10 slashmili

Doesn't the line below the one you linked to recall the headers function but with method set to nil so that it goes on to check the requests origin here.

https://github.com/mschae/cors_plug/blob/5dfdbb77be6a0b0eabed376a58ff88f9ee51dace/lib/cors_plug.ex#L54 then https://github.com/mschae/cors_plug/blob/5dfdbb77be6a0b0eabed376a58ff88f9ee51dace/lib/cors_plug.ex#L64

CrowdHailer avatar Jan 04 '19 13:01 CrowdHailer

What I mean is in here

https://github.com/mschae/cors_plug/blob/1ca97ed844b200f97bc54df83426815854d1235d/lib/cors_plug.ex#L56-L63

we always set access-control-* headers regardless of the origin is set in configuration or not

slashmili avatar Jan 04 '19 14:01 slashmili

Ahh yes I see. Same check as is found here https://github.com/mschae/cors_plug/blob/1ca97ed844b200f97bc54df83426815854d1235d/lib/cors_plug.ex#L74

Could you add a test case that fails because of how it is currently set up. Then we can work out the best way to fix it

CrowdHailer avatar Jan 04 '19 14:01 CrowdHailer