search

atuttle / Taffy

:candy: The REST Web Service framework for ColdFusion and Lucee
http://taffy.io
Other
226 stars 117 forks source link

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False #407

Open chopki opened 3 years ago

chopki commented 3 years ago

CF 2016 / Taffy 3.1 / Java 15.0.1

https://github.com/atuttle/Taffy/blob/3cefedfa5b85d1c023102559584f20e3bfd4ba7b/core/api.cfc#L249

When running an API that had only some resources available for CORS setting the global allowCrossDomain = false caused Access-Control-Allow-Headers to be output twice as i was sorting the cors like the below.

Presumably the line of code in the api.cfc is set up to check the length of allowCrossDomain as you can put in a list of domains, but with false also being treated as a string it also then passes this check.

Its not a huge issues and the workaround was to set allowCrossDomain to an empty string - Running taffy 3.1.

    <cffunction name="options">
        <cfset var loc = {} >

        <cfset loc.headers = {
            "Access-Control-Allow-Origin" = "*"
            ,"Access-Control-Allow-Headers" = "Origin,Authorization,X-CSRF-Token,X-Requested-With,Content-Type,X-HTTP-Method-Override,Accept,Referrer,User-Agent,X-Custom-Header"
        }>

        <cfreturn
            noData()
            .withHeaders(loc.headers)
        />
    </cffunction>