Skip to content

🐛 [Bug]: CORS middleware misclassifies all OPTIONS requests as preflight requests #2920

New issue
New issue
Closed
#2921
Closed
🐛 [Bug]: CORS middleware misclassifies all OPTIONS requests as preflight requests#2920
#2921
Assignees
gabysixcolors
Labels
☢️ Bug
@jub0bs

Description

@jub0bs
jub0bs
opened on Mar 17, 2024

Bug Description

Fiber's CORS middleware misclassifies all OPTIONS requests as preflight requests, thereby unduly preventing requests from hitting user-registered OPTIONS endpoints. I've discussed the general problem on my personal blog.

How to Reproduce

Start the server, then exercise it by sending the OPTIONS requests resulting from the following two curl commands:

curl -v -XOPTIONS \
  localhost:8080/hello
curl -v -XOPTIONS \
  -H "Origin: https://example.com" \
  localhost:8080/hello

According to the Fetch standard, neither request is a preflight request, because

  • the first one lacks both an Origin header and an Access-Control-Request-Method header, and
  • the second one lacks an Access-Control-Request-Method header.

However, those requests get interpreted as preflight requests and handled by the CORS middleware rather than by the handler registered on OPTIONS /hello:

HTTP/1.1 204 No Content
Date: [REDACTED]
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT

Expected Behavior

The first two aforementioned OPTIONS requests should get through the CORS middleware, exercise the handler registered on /hello, and get a response of this kind:

HTTP/1.1 204 No Content
Allow: GET, OPTIONS
Date: [REDACTED]

Fiber Version

v2.52.2

Code Snippet

package main

import (
	"log"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()

	app.Use(cors.New(cors.Config{
		AllowOrigins: "*",
		AllowMethods: fiber.MethodPut,
	}))

	app.Use(func(c *fiber.Ctx) error {
		if c.Is("json") {
			return c.Next()
		}
		return c.SendString("Only JSON allowed!")
	})

	app.Get("/hello", func(c *fiber.Ctx) error {
		return c.JSON(fiber.Map{
			"message": "Hello, World!",
		})
	})

	app.Options("/hello", func(c *fiber.Ctx) error {
		c.Set("Allow", "GET, OPTIONS")
		return c.SendStatus(fiber.StatusNoContent)
	})

	log.Fatal(app.Listen(":8080"))
}

Checklist:

  • I agree to follow Fiber's Code of Conduct.
  • I have checked for existing issues that describe my problem prior to opening this one.
  • I understand that improperly formatted bug reports may be closed without explanation.

Metadata

Metadata

Assignees

Labels

☢️ Bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions