From: Rafał Miłecki <ra...@milecki.pl>
Complex GET requests (e.g. those with custom headers) require browsers
to send preflight OPTIONS request with:
Access-Control-Request-Method: GET
It's important to reply to such requests with all relevant
Access-Control-Allow-* headers to allow CORS requests.
Adding GET to the Access-Control-Allow-Methods is cosmetical as
according to the Fetch standard:
> If request’s method is not in methods, request’s method is not a
> CORS-safelisted method, and request’s credentials mode is "include" or
> methods does not contain `*`, then return a network error.
It basically means that Access-Control-Allow-Methods value is ignored
for GET, HEAD and POST methods.
Signed-off-by: Rafał Miłecki <ra...@milecki.pl>
---
ubus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ubus.c b/ubus.c
index 1cf5c5f..39b38b2 100644
--- a/ubus.c
+++ b/ubus.c
@@ -164,7 +164,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
{
char *hdr = (char *)
blobmsg_data(tb[HDR_ACCESS_CONTROL_REQUEST_METHOD]);
- if (strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS"))
+ if (strcmp(hdr, "GET") && strcmp(hdr, "POST") && strcmp(hdr,
"OPTIONS"))
return;
}
@@ -175,7 +175,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n",
blobmsg_get_string(tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS]));
- ustream_printf(cl->us, "Access-Control-Allow-Methods: POST,
OPTIONS\r\n");
+ ustream_printf(cl->us, "Access-Control-Allow-Methods: GET, POST,
OPTIONS\r\n");
ustream_printf(cl->us, "Access-Control-Allow-Credentials: true\r\n");
}
--
2.27.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
