Options request is passed through when Origin is not allowed

[matiasanaya]

If the Origin is not allowed on a OPTIONS request, the CORS middleware will pass the request through to the next handler.

i.e. This test fails:

func TestCORSHandlerOptionsRequestMustNotBePassedToNextHandlerWhenOriginNotAllowed(t *testing.T) {
	r := newRequest("OPTIONS", "http://www.example.com/")
	r.Header.Set("Origin", r.URL.String())
	r.Header.Set(corsRequestMethodHeader, "GET")

	rr := httptest.NewRecorder()

	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		t.Fatal("Options request must not be passed to next handler")
	})

	CORS(AllowedOrigins([]string{}))(testHandler).ServeHTTP(rr, r)

	if status := rr.Code; status != http.StatusOK {
		t.Fatalf("bad status: got %v want %v", status, http.StatusOK)
	}
}

I would have expected this request be met with a 200 OK with no CORS headers as per other CORS implementations.

We recently deploy badly configured CORS allowed origins for one of our apps and where getting 404's on preflight requests since the middleware was handling control back to the app.

If this is something you are interested in fixing I can spend some time on a PR.

[elithrar]

PR would be great, thanks!

…

On Thu, Sep 7, 2017 at 10:57 PM Matias Anaya ***@***.***> wrote: If the Origin is not allowed on a OPTIONS request, the CORS middleware will pass the request through to the next handler. i.e. This test fails: func TestCORSHandlerOptionsRequestMustNotBePassedToNextHandlerWhenOriginNotAllowed(t *testing.T) { r := newRequest("OPTIONS", "http://www.example.com/") r.Header.Set("Origin", r.URL.String()) r.Header.Set(corsRequestMethodHeader, "GET") rr := httptest.NewRecorder() testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { t.Fatal("Options request must not be passed to next handler") }) CORS(AllowedOrigins([]string{}))(testHandler).ServeHTTP(rr, r) if status := rr.Code; status != http.StatusOK { t.Fatalf("bad status: got %v want %v", status, http.StatusOK) } } I would have expected this request be met with a 200 OK with no CORS headers as per other <hapijs/hapi#2868 (comment)> CORS <rs/cors#21> implementations. We recently deploy badly configured CORS allowed origins for one of our apps and where getting 404's on preflight requests since the middleware was handling control back to the app. If this is something you are interested in fixing I can spend some time on a PR. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#111>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABIcPtJfbOyytWrMjE7TVN6xqa-bNTSks5sgNdYgaJpZM4PQuge> .

[elithrar]

Closed via #112