Closed rellingson-dev closed 1 week ago
This is intended behavior. The CORS layer will mirror back the origin in the access-control-allow-origin
response header if it matches your predicate, and omit that header if it doesn't. The browser should then act accordingly (e.g. blocking a subsequent request that would otherwise happen after preflight), irrelevant of the status code.
Bug Report
Version
0.5
Platform
x86_64 x86_64 x86_64 GNU/Linux
Crates
tower-http-cors
Description
I have recently updated my application from using axum 0.6 to 0.7 which required me to update tower-http to 0.5 from 0.1. After this upgrade, our CORS layer no longer returned 401 unauthorized errors when getting bad requests. We have allowed methods set to GET and POST and we use a predicate for our allowed origins. I tested both by simplifying the code to just allow POST and to only allow a single origin, but sending GET requests and requests with an invalid origin still returned 200s.