It doesn't appear that Crow executes middlewares at all for OPTIONS requests. This means that crow::CORSHandler is useless when handling CORS preflight requests. For other kinds of requests (GET, POST, etc.), Crow runs the middleware.
Without the proper CORS headers in the OPTIONS response, the browser will complain when custom headers are added into the request:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://0.0.0.0:18080/wordle_key_pressed/y. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 204.
What should happen: when curl -X OPTIONS is used, Crow should execute the crow::CORSHandler middleware, which will respond with the right CORS headers.
What actually happens: Crow does not run any middlewares, and no CORS headers are present in the response:
$ curl -X OPTIONS -v http://0.0.0.0:18000
* Trying 0.0.0.0:18000...
* Connected to 0.0.0.0 (127.0.0.1) port 18000 (#0)
> OPTIONS / HTTP/1.1
> Host: 0.0.0.0:18000
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Allow: OPTIONS, HEAD, GET
< Content-Length: 0
< Server: Crow/master
< Date: Mon, 24 Oct 2022 03:29:49 GMT
<
* Connection #0 to host 0.0.0.0 left intact
Just to confirm that crow::CORSHandler is working as it should be, it does respond with all the required CORS headers for GET requests:
$ curl -v http://0.0.0.0:18000
* Trying 0.0.0.0:18000...
* Connected to 0.0.0.0 (127.0.0.1) port 18000 (#0)
> GET / HTTP/1.1
> Host: 0.0.0.0:18000
> User-Agent: curl/7.84.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Headers: *
< Access-Control-Allow-Methods: *
< Access-Control-Allow-Origin: *
< Content-Length: 11
< Server: Crow/master
< Date: Mon, 24 Oct 2022 03:30:04 GMT
< Connection: Keep-Alive
<
* Connection #0 to host 0.0.0.0 left intact
Hello world
Preamble
It doesn't appear that Crow executes middlewares at all for OPTIONS requests. This means that
crow::CORSHandler
is useless when handling CORS preflight requests. For other kinds of requests (GET, POST, etc.), Crow runs the middleware.Without the proper CORS headers in the OPTIONS response, the browser will complain when custom headers are added into the request:
Reproducing
Reproducing code for
```cpp #include "crow_all.h" int main() { crow::Appcrow::CORSHandler
What should happen: when
curl -X OPTIONS
is used, Crow should execute thecrow::CORSHandler
middleware, which will respond with the right CORS headers.What actually happens: Crow does not run any middlewares, and no CORS headers are present in the response:
Just to confirm that
crow::CORSHandler
is working as it should be, it does respond with all the required CORS headers for GET requests: