Discard the following HttpContent for preflight request#15941
Merged
normanmaurer merged 25 commits intoDec 3, 2025
Conversation
…lass, int) ignores sampling interval
This reverts commit 87531c7
Signed-off-by: skyguard1 <qhdxssm@qq.com>
Signed-off-by: skyguard1 <qhdxssm@qq.com>
Signed-off-by: skyguard1 <qhdxssm@qq.com>
Member
|
hmm... I don't think this is correct. We either need to always pass down a |
Contributor
Author
However, for preflight requests, the HttpRequest is not being passed down, but the LastHttpContent is. Did I missing something? |
Member
|
@skyguard1 I am just saying we either always need to pass down the request + last content or never.. it always needs to be the combination or none at all. |
Contributor
Author
|
Preflight (OPTIONS + ACRM) is not a business request; it's merely a control request used internally by the browser to retrieve CORS metadata. Therefore, the business logic should never: receive the preflight HttpRequest receive its HttpContent/LastHttpContent. So, for preflight requests, if you don't pass the HttpRequest, you should also not pass the LastHttpContent. This PR is essentially discarding the LastHttpContent for preflight requests, so I don't know what I'm missing. |
Member
|
@skyguard1 What I am saying is that I don't think this should be configurable at all... |
Contributor
Author
|
I got it. So you think the flag should be removed, but this fix is valid. Right? |
Contributor
Author
|
My idea is to first minimize changes through the configuration, and then remove the flag after the release when users have configured and validated the behavior of discarding LastHttpContent. This satisfies the principle of minimal changes. Of course, we could also directly delete the flag to perform this fix. |
Member
|
imho we should just fix it and not have the configuration API. As this is just another API that we need to keep. We could have a system property to fallback to the old behavior but I am not sure this is needed at all. |
Contributor
Author
|
Agreed. Then I will delete this configuration. |
Signed-off-by: skyguard1 <qhdxssm@qq.com>
Contributor
Author
|
Done |
normanmaurer
requested changes
Dec 1, 2025
…uest is forwarded Signed-off-by: skyguard1 <qhdxssm@qq.com>
normanmaurer
requested changes
Dec 1, 2025
Signed-off-by: skyguard1 <qhdxssm@qq.com>
Signed-off-by: skyguard1 <qhdxssm@qq.com>
normanmaurer
requested changes
Dec 1, 2025
…HandlerTest.java Co-authored-by: Norman Maurer <norman_maurer@apple.com>
…HandlerTest.java Co-authored-by: Norman Maurer <norman_maurer@apple.com>
…HandlerTest.java Co-authored-by: Norman Maurer <norman_maurer@apple.com>
…HandlerTest.java Co-authored-by: Norman Maurer <norman_maurer@apple.com>
Contributor
Author
|
|
Member
normanmaurer
reviewed
Dec 2, 2025
normanmaurer
requested changes
Dec 2, 2025
normanmaurer
left a comment
Member
There was a problem hiding this comment.
Almost there... Please also update the PR description etc to reflect what is actual done now
| } | ||
|
|
||
| @Test | ||
| public void allowPrivateNetwork() { |
Member
There was a problem hiding this comment.
nit: This seems to be not related to the PR
Contributor
Author
There was a problem hiding this comment.
Yes. But I found this allowPrivateNetwork is missing for unit test, maybe remove this?
Member
There was a problem hiding this comment.
just do it in a separate PR
| assertFalse(ch.writeInbound(preflight)); | ||
| ReferenceCountUtil.release(ch.readOutbound()); | ||
|
|
||
| LastHttpContent first = LastHttpContent.EMPTY_LAST_CONTENT; |
Member
There was a problem hiding this comment.
nit: You might also want to test with one non-empty one as it should be the same behavior
Signed-off-by: skyguard1 <qhdxssm@qq.com>
…nt' into fix_cors_handler_last_http_content
chrisvest
reviewed
Dec 2, 2025
Signed-off-by: skyguard1 <qhdxssm@qq.com>
chrisvest
approved these changes
Dec 3, 2025
Member
|
@skyguard1 thanks! |
normanmaurer
added a commit
that referenced
this pull request
Dec 3, 2025
Motivation: HttpServerCodec always constructs an `EmptyLastHttpContent` and passes it to the Handler chain when processing OPTIONS requests, The `EmptyLastHttpContent` propagate through the handler chain. However, the CORS handler might still propagate the EmptyLastHttpContent to downstream handlers via fireChannelRead(), causing subsequent handlers to receive only this empty content and lose access to the original request URL. Because `CorsHandler` does not consume this message, it calls `ctx.fireChannelRead(msg)` for the EmptyLastHttpContent. Downstream handlers then observe: No HttpRequest A LastHttpContent with empty content This often breaks other handlers that rely on receiving the `HttpRequest` first or expect consistent HTTP message. This PR fixes an issue in `CorsHandler` where, after handling a CORS preflight (OPTIONS) request, the handler still propagates the subsequent `EmptyLastHttpContent` sent by the `HttpServerCodec` to downstream handler. Modification: - `CorsHandler` track handled preflight and consume the following HttpContent, LastHttpContent until the next HttpRequest is forwarded instead of firing it downstream. - Add tests Result: Fixes #15148 It also improves compatibility with application frameworks and routing handlers that expect well-formed HTTP request/response flows. --------- Signed-off-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: xingrufei <xingrufei@yl.com> Co-authored-by: code-xing_wcar <code.xing@wirelesscar.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com>
normanmaurer
added a commit
that referenced
this pull request
Dec 3, 2025
Motivation: HttpServerCodec always constructs an `EmptyLastHttpContent` and passes it to the Handler chain when processing OPTIONS requests, The `EmptyLastHttpContent` propagate through the handler chain. However, the CORS handler might still propagate the EmptyLastHttpContent to downstream handlers via fireChannelRead(), causing subsequent handlers to receive only this empty content and lose access to the original request URL. Because `CorsHandler` does not consume this message, it calls `ctx.fireChannelRead(msg)` for the EmptyLastHttpContent. Downstream handlers then observe: No HttpRequest A LastHttpContent with empty content This often breaks other handlers that rely on receiving the `HttpRequest` first or expect consistent HTTP message. This PR fixes an issue in `CorsHandler` where, after handling a CORS preflight (OPTIONS) request, the handler still propagates the subsequent `EmptyLastHttpContent` sent by the `HttpServerCodec` to downstream handler. Modification: - `CorsHandler` track handled preflight and consume the following HttpContent, LastHttpContent until the next HttpRequest is forwarded instead of firing it downstream. - Add tests Result: Fixes #15148 It also improves compatibility with application frameworks and routing handlers that expect well-formed HTTP request/response flows. --------- Signed-off-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: xingrufei <xingrufei@yl.com> Co-authored-by: code-xing_wcar <code.xing@wirelesscar.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com>
chrisvest
pushed a commit
that referenced
this pull request
Dec 3, 2025
) Motivation: HttpServerCodec always constructs an `EmptyLastHttpContent` and passes it to the Handler chain when processing OPTIONS requests, The `EmptyLastHttpContent` propagate through the handler chain. However, the CORS handler might still propagate the EmptyLastHttpContent to downstream handlers via fireChannelRead(), causing subsequent handlers to receive only this empty content and lose access to the original request URL. Because `CorsHandler` does not consume this message, it calls `ctx.fireChannelRead(msg)` for the EmptyLastHttpContent. Downstream handlers then observe: No HttpRequest A LastHttpContent with empty content This often breaks other handlers that rely on receiving the `HttpRequest` first or expect consistent HTTP message. This PR fixes an issue in `CorsHandler` where, after handling a CORS preflight (OPTIONS) request, the handler still propagates the subsequent `EmptyLastHttpContent` sent by the `HttpServerCodec` to downstream handler. Modification: - `CorsHandler` track handled preflight and consume the following HttpContent, LastHttpContent until the next HttpRequest is forwarded instead of firing it downstream. - Add tests Result: Fixes #15148 It also improves compatibility with application frameworks and routing handlers that expect well-formed HTTP request/response flows. Signed-off-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: xingrufei <xingrufei@yl.com> Co-authored-by: code-xing_wcar <code.xing@wirelesscar.com>
Contributor
Author
|
It is my pleasure |
normanmaurer
added a commit
that referenced
this pull request
Dec 4, 2025
) Motivation: HttpServerCodec always constructs an `EmptyLastHttpContent` and passes it to the Handler chain when processing OPTIONS requests, The `EmptyLastHttpContent` propagate through the handler chain. However, the CORS handler might still propagate the EmptyLastHttpContent to downstream handlers via fireChannelRead(), causing subsequent handlers to receive only this empty content and lose access to the original request URL. Because `CorsHandler` does not consume this message, it calls `ctx.fireChannelRead(msg)` for the EmptyLastHttpContent. Downstream handlers then observe: No HttpRequest A LastHttpContent with empty content This often breaks other handlers that rely on receiving the `HttpRequest` first or expect consistent HTTP message. This PR fixes an issue in `CorsHandler` where, after handling a CORS preflight (OPTIONS) request, the handler still propagates the subsequent `EmptyLastHttpContent` sent by the `HttpServerCodec` to downstream handler. Modification: - `CorsHandler` track handled preflight and consume the following HttpContent, LastHttpContent until the next HttpRequest is forwarded instead of firing it downstream. - Add tests Result: Fixes #15148 It also improves compatibility with application frameworks and routing handlers that expect well-formed HTTP request/response flows. Signed-off-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: skyguard1 <qhdxssm@qq.com> Co-authored-by: xingrufei <xingrufei@yl.com> Co-authored-by: code-xing_wcar <code.xing@wirelesscar.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
HttpServerCodec always constructs an
EmptyLastHttpContentand passes it to the Handler chain when processing OPTIONS requests, TheEmptyLastHttpContentpropagate through the handler chain.However, the CORS handler might still propagate the EmptyLastHttpContent to downstream handlers via fireChannelRead(), causing subsequent handlers to receive only this empty content and lose access to the original request URL.
Because
CorsHandlerdoes not consume this message, it callsctx.fireChannelRead(msg)for the EmptyLastHttpContent.Downstream handlers then observe:
No HttpRequest
A LastHttpContent with empty content
This often breaks other handlers that rely on receiving the
HttpRequestfirst or expect consistent HTTP message.This PR fixes an issue in
CorsHandlerwhere, after handling a CORS preflight (OPTIONS) request, the handler still propagates the subsequentEmptyLastHttpContentsent by theHttpServerCodecto downstream handler.Modification:
This PR adds option to
CorsHandlerto track when a preflight request has been fully handled.Track handled preflight and consume the following inbound HttpContent,LastHttpContent instead of firing it downstream.
Scope: Only affects CORS preflight flow; keeps normal request forwarding unchanged.
Tests: Added cases to verify empty and non-empty LastHttpContent are discarded after preflight and that normal requests continue to forward HttpRequest and content.
It also improves compatibility with application frameworks and routing handlers that expect well-formed HTTP request/response flows.
Result:
Fixes #15148
CorsHandlertrack handled preflight and consume the following HttpContent, LastHttpContent until the next HttpRequest is forwarded instead of firing it downstream.