feat: Add support for CORS requests from a browser#26314
Merged
Conversation
This commit adds support for CORS by modifying our requests to make preflight checks valid and to handle responses containing the necessary headers for browsers to access the data they need. We keep what we accept as open as this is essentially what requests to the server are normally like and we gate the requests with an auth token. Closes #26313
stuartcarnie
approved these changes
Apr 22, 2025
Contributor
stuartcarnie
left a comment
There was a problem hiding this comment.
LGTM – should make it much easier for our users 👏🏻
pauldix
reviewed
Apr 22, 2025
| // the following headers. We do this before the API token checks as | ||
| // the browser will not send a request with an auth header for CORS. | ||
| if let Method::OPTIONS = method { | ||
| info!(?uri, "preflight request"); |
Member
There was a problem hiding this comment.
Should this be info, might be noisy
Contributor
Author
There was a problem hiding this comment.
Ahh when I went to merge this comment showed up in my browser tab which I just had open for a few days. We could change it to debug. Wouldn't be a bad thing
hiltontj
pushed a commit
that referenced
this pull request
May 2, 2025
This commit adds support for CORS by modifying our requests to make preflight checks valid and to handle responses containing the necessary headers for browsers to access the data they need. We keep what we accept as open as this is essentially what requests to the server are normally like and we gate the requests with an auth token. Closes #26313
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit adds support for CORS by modifying our requests to make preflight checks valid and to handle responses containing the necessary headers for browsers to access the data they need. We keep what we accept as open as this is essentially what requests to the server are normally like and we gate the requests with an auth token.
Closes #26313
This is honestly quite hard to test unless we have a whole headless browser setup going on which for one test seems a bit excessive and it's unlikely this code will change much if at all once committed.
Here you can see that the request to the server fails based off main
Here the same request passes with CORS headers enabled
