search

ipfs / gateway-conformance

a vendor-agnostic gateway conformance test suite for implementers of IPFS Gateways to ensure compliance with https://specs.ipfs.tech/http-gateways/
https://specs.ipfs.tech/http-gateways/
Other
14 stars 14 forks source link

CORS test sends non-CORS request #217

Open achingbrain opened 2 months ago

achingbrain commented 2 months ago

There's a test:

"GET Responses from Gateway should include CORS headers allowing JS from other origins to read the data cross-origin."

It makes a GET request to "/ipfs/{{CID}}/" and expects Access-Control-Allow-Origin etc in the response.

The test sends:

GET /ipfs/bafkqabtimvwgy3yk/ HTTP/1.1
Host: host.docker.internal:8080
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

The fetch spec says:

A CORS request is an HTTP request that includes an Origin header. It cannot be reliably identified as participating in the CORS protocol as the Origin header is also included for all requests whose method is neither GET nor HEAD.

There is no Origin header in the request, so this is not a CORS request.

Why does the test expect CORS headers in the response?

achingbrain commented 2 months ago

I would say also, the GET test expects the following headers to be present in the response:

Of these only Access-Control-Allow-Origin is valid in the response to a CORS request, the others are for a CORS-preflight request (e.g. OPTIONS, not GET) so I don't think this test is valid. Ref - https://fetch.spec.whatwg.org/#http-responses

Is it just asserting on the behaviour of the go-HTTP server? There's no mention of CORS in any of the HTTP Gateway specs so it's unclear what's intended to happen here.