cyu
commented
5 years ago @Borzik This looks good - thanks for the analysis, makes it easier on me. Can you remove the CONTENT_TYPE constant as well?
Closed Borzik closed 5 years ago
cyu
commented
5 years ago @Borzik This looks good - thanks for the analysis, makes it easier on me. Can you remove the CONTENT_TYPE constant as well?
audiolion
commented
5 years ago Does this need the X-Content-Type-Options: nosniff as well to clear the warning? Was reading
https://www.chromium.org/Home/chromium-security/corb-for-developers
and was a bit confused by the requirements
cyu
commented
5 years ago @audiolion it sounds like X-Content-Type-Options should be paired with a Content-Type header, I don’t think it is relevant to this PR.
Rack-cors used to set
Content-Typeheader totext/plainon preflight requests. It was added 9 years ago because rack spec required it at that time. In 2012, rack spec was updated, soContent-Typeheader is no longer required. The reason why someone would need for this header to be removed is new CORB protection. If you check its description here, you'll see that response to OPTIONS request withtext/plainheader will be blocked. Blocking does not affect any functionality, it just shows an error in Chrome console. But to get rid of these messages, preflight response headers should not includeContent-Typeheader.I also released bundler dependency, because it was quite restricted and referred to an outdated version of bundler.