Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/cowboy_cors.erl
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ check_allowed_headers([<<"origin">>|Tail], Allowed, Req, State) ->
%% header underpins the entire CORS framework, its inclusion in
%% the requested headers is nonsensical.
check_allowed_headers(Tail, Allowed, Req, State);
check_allowed_headers([<<"accept">>|Tail], Allowed, Req, State) ->
%% KLUDGE: for browsers that include this header.
check_allowed_headers(Tail, Allowed, Req, State);

@danielwhite danielwhite May 7, 2016

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall correctly, the prior deals with Safari always requesting the Origin header, no matter what the client does. Is there a case of any browsers doing the same for Accept header?

Perhaps a slightly less restrictive default for allowed_headers when it isn't defined would be more appropriate (e.g. Accept and Content-Type)?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry it's gone out of my mind now :) reading around at the time, it seemed that browser handling of CORS was changing rapidly. Perhaps kludges - and/or less restrictive defaults - are appropriate until/unless things settle.

check_allowed_headers([Header|Tail], Allowed, Req, State) ->
case lists:member(Header, Allowed) of
false ->
Expand Down