stp-ip
commented
7 years ago Seems fixed in recent releases.
Closed stp-ip closed 6 years ago
stp-ip
commented
7 years ago Seems fixed in recent releases.
stp-ip
commented
7 years ago Sorry have to reopen as the fix wasn't related to cors. This issue still persists.
captncraig
commented
6 years ago Sorry I'm a bit late. I'm afraid I'm not clear on the reproduction procedure here. Are you saying a browser request from an unauthorized domain is receiving valid Access-Control-Allow-Origin headers?
I'm not quite clear on which request you think is calling the next middleware inappropriately. The preflight request should be the only request that happens, and if that is handled correctly, no other middlewares should be called. After that, your browser is responsible for blocking the rest unless valid headers are received.
stp-ip
commented
6 years ago Ok. Will look into it again and try to get more context for something reproducible. Thanks for taking the time.
stp-ip
commented
6 years ago Seems to work as expected now. Thanks for all the work.
Thanks for providing this plugin. Always great to see open source efforts coming together.
Recently I ran into an issue with mailout (or at least I thought it was the issue source). I'm using CORS to prevent other sides from requesting/sending emails and therefore used the cors plugin.
Config:
So only requests from example.com should be able to send mail/request/post to the given url. The result is that the request seems to fail on the client-side with:
What I thought would happen: No email would be send and an error would be returned for the request.
What happened: Email was sent (mailout middleware was called), POST request returned 200.
Might that be an issue with how the CORS middleware handles this or should am I doing something strange on the clientside?
For reference: mailout issue