cors icon indicating copy to clipboard operation
cors copied to clipboard

Add Access-Control-Allow-Origin before aborting

Open tj opened this issue 6 years ago • 6 comments

I plan on sending a PR at some point, just opening this for reference or if someone else wants to grab it.

I think here if we respond with Access-Control-Allow-Origin first it'll lead to nicer browser errors, and require fewer trips to enabling debugging with this middleware to discover what went wrong.

Currently this kind of masks issues with the other fields, so the browser basically just says you don't have access at all. Let me know if that sounds reasonable!

tj avatar Apr 24 '18 20:04 tj

Re-reading the spec, I'm not sure we should stop the processing of the preflight request until there is a parsing error. I might revisit this.

rs avatar Apr 24 '18 21:04 rs

When the browser uses <img crossOrigin=Anonymous> there is no pre-flight and this line here halts the execution before isOriginAllowed realizes the desired * origins.

Should I open a separate issue or are we talking about the same thing?

bithavoc avatar Jun 10 '19 16:06 bithavoc

Yes, I think it's a different issue.

rs avatar Jun 10 '19 17:06 rs

@tj For what it's worth, I mentioned this issue in my latest my blog post.

jub0bs avatar Feb 08 '23 18:02 jub0bs

Related: https://github.com/whatwg/fetch/issues/1588

jub0bs avatar Oct 29 '23 09:10 jub0bs