Closed kinglozzer closed 1 year ago
bump
The issue attached to this PR is in our "backlog with PRs" column and will be refined in a future backlog refinement session. We're still pretty busy getting the CMS 5 release ready so we haven't had a chance to look at this properly yet.
@kinglozzer Let me know if you're going to continue with this PR, otherwise I'll close this one for now
Not likely to have time soon 😔
This will no longer output a 403 error if origin is invalid - CORS headers are to protect things client side, not server side, so there’s no security benefit in triggering this error.
The
Access-Control-Allow-Origin
is now only output if the origin is valid. For valid origins, that matches the current behaviour. For invalid origins, this is a behavioural change (it used to 403) but this new behaviour will correctly trigger preflight errors:One other minor behavioural change here - if developer has opted to allow all origins, this will now explicitly output
Access-Control-Allow-Origin: *
instead ofAccess-Control-Allow-Origin: <current origin>
Issue
519