Skip to content

Added extra check_allowed_headers kludge for Accept request header#13

Open
llaisdy wants to merge 1 commit into
danielwhite:masterfrom
llaisdy:master
Open

Added extra check_allowed_headers kludge for Accept request header#13
llaisdy wants to merge 1 commit into
danielwhite:masterfrom
llaisdy:master

Conversation

@llaisdy

@llaisdy llaisdy commented Apr 12, 2016

Copy link
Copy Markdown

Chrome adds an "accept" value to the Access-Control-Request-Headers request header. This was causing termination of the request.

I've added a kludge/check for this (same as the "origin" kludge/check) to cowboy_cors:check_allowed_headers/4.

Thanks

Ivan

p.s. Thanks v much for cowboy_cors!

Comment thread src/cowboy_cors.erl
check_allowed_headers(Tail, Allowed, Req, State);
check_allowed_headers([<<"accept">>|Tail], Allowed, Req, State) ->
%% KLUDGE: for browsers that include this header.
check_allowed_headers(Tail, Allowed, Req, State);

@danielwhite danielwhite May 7, 2016

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall correctly, the prior deals with Safari always requesting the Origin header, no matter what the client does. Is there a case of any browsers doing the same for Accept header?

Perhaps a slightly less restrictive default for allowed_headers when it isn't defined would be more appropriate (e.g. Accept and Content-Type)?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it's gone out of my mind now :) reading around at the time, it seemed that browser handling of CORS was changing rapidly. Perhaps kludges - and/or less restrictive defaults - are appropriate until/unless things settle.

@danielwhite

Copy link
Copy Markdown
Owner

Thanks for the PR, @llaisdy, I'm really sorry I didn't notice this sooner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants