search

larskuhtz / wai-cors

A Haskell implementation of Cross-Origin resource sharing (CORS) for Wai
MIT License
26 stars 13 forks source link

Cannot do CORS requests (no preflight) when using the OPTIONS method #37

Open laurenceisla opened 6 months ago

laurenceisla commented 6 months ago

After setting corsIgnoreFailures = False and doing a request like:

curl -X OPTIONS "localhost:3000/test" \
  -H "Origin: http://localhost"

The library returns:

Access-Control-Request-Method header is missing in CORS preflight request

But we don't want to make a preflight request in this case, just a CORS request using the OPTIONS method and Origin header.

Right now, the library is not allowing us to create our own implementation for OPTIONS and accessing it using scripts in browsers. In other words, the browser sends the preflight and receives 200 OK with the relevant headers, but the subsequent OPTIONS request (our implementation) fails with the error mentioned at the start.

I used the spec as a source to support this https://fetch.spec.whatwg.org/#http-requests:

A CORS request is an HTTP request that includes an Origin header.

Which applies to my example.

A CORS-preflight request is a CORS request [...] It uses OPTIONS as method and includes the following header:

Access-Control-Request-Method

I interpret this part (emphasis mine) as a way to transform a CORS request into a preflight request. So, if it doesn't have the header it's just a no preflight CORS request (not an error).

laurenceisla commented 6 months ago

I made this work in my fork. If you agree I can turn it into a PR: https://github.com/larskuhtz/wai-cors/compare/master...laurenceisla:wai-cors:options-no-preflight