Closed Borzik closed 5 years ago
@Borzik This looks good - thanks for the analysis, makes it easier on me. Can you remove the CONTENT_TYPE
constant as well?
Does this need the X-Content-Type-Options: nosniff
as well to clear the warning? Was reading
https://www.chromium.org/Home/chromium-security/corb-for-developers
and was a bit confused by the requirements
@audiolion it sounds like X-Content-Type-Options
should be paired with a Content-Type
header, I don’t think it is relevant to this PR.
Rack-cors used to set
Content-Type
header totext/plain
on preflight requests. It was added 9 years ago because rack spec required it at that time. In 2012, rack spec was updated, soContent-Type
header is no longer required. The reason why someone would need for this header to be removed is new CORB protection. If you check its description here, you'll see that response to OPTIONS request withtext/plain
header will be blocked. Blocking does not affect any functionality, it just shows an error in Chrome console. But to get rid of these messages, preflight response headers should not includeContent-Type
header.I also released bundler dependency, because it was quite restricted and referred to an outdated version of bundler.