Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORS] Fixes Cors Headers with Case Insensitive Matching #758

Merged
merged 3 commits into from
Apr 18, 2018
Merged

[CORS] Fixes Cors Headers with Case Insensitive Matching #758

merged 3 commits into from
Apr 18, 2018

Conversation

eliasjpr
Copy link
Contributor

@eliasjpr eliasjpr commented Apr 17, 2018
edited
Loading

Resolves #757

Description of the Change

This solves two issues with CORS:

Headers currently are not checking case-insensitive values for
Access-Control-Request-Headers. Allowed headers should match
against Access-Control-Request-Headers values.

There was the belief that response.flush writes the contents of the
response halting the request, this is not true, instead the request is
continuing the pipeline.

Changes

  • Adds case insensitive check to Access-Control-Request-Headers
  • Validates that Access-Control-Request-Headers values match against
    ALLOWED_HEADERS
  • Adds invalid preflight specs.
  • Prevents call next for preflight requests

Benefits

With these changes in the event of preflight requests should
respond to case insensitive preflight headers and the call_next
should not be called.

[CORS] Fixes Cors Headers Match Case Insensitive
5feec87 
Resolves #757

This solves two issues with CORS:

Headers currently are not checking case-insensitive values for
`Access-Control-Request-Headers`. Allowed headers should match
against `Access-Control-Request-Headers` values.

There was the belief that `response.flush` writes the contents of the
response halting the request, this is not true, instead the request is
continuing the pipeline.

- Adds case insensitive check to `Access-Control-Request-Headers`
- Validates that `Access-Control-Request-Headers` values match against
ALLOWED_HEADERS
- Adds invalid preflight specs.
- Prevents call next for preflight requests

With these changes in the event of preflight requests should
respond to case insensitive preflight headers and the `call_next`
should not be called.
fridgerator
fridgerator approved these changes Apr 17, 2018
View reviewed changes
Copy link
Contributor

@fridgerator fridgerator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

faustinoaq
faustinoaq approved these changes Apr 17, 2018
View reviewed changes
Copy link
Contributor

@faustinoaq faustinoaq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

@robacarp robacarp changed the title [CORS] Fixes Cors Headers Match Case Insensitive [CORS] Fixes Cors Headers with Case Insensitive Matching Apr 18, 2018
@eliasjpr eliasjpr merged commit 1729fd5 into master Apr 18, 2018
@faustinoaq faustinoaq deleted the ep/cors-fixes branch June 21, 2018 00:53
@faustinoaq faustinoaq added this to the Version 0.8.0 milestone Jun 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faustinoaq faustinoaq faustinoaq approved these changes

@fridgerator fridgerator fridgerator approved these changes

@elorest elorest Awaiting requested review from elorest

@robacarp robacarp Awaiting requested review from robacarp

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 0.8.1
Development

Successfully merging this pull request may close these issues.
3 participants
@eliasjpr @fridgerator @faustinoaq