diff options
| author | Rafał Miłecki <rafal@milecki.pl> | 2020-09-21 16:16:23 +0200 |
|---|---|---|
| committer | Rafał Miłecki <rafal@milecki.pl> | 2020-09-23 08:17:32 +0200 |
| commit | c186212a3075766717cab396a46242f110ee71bd (patch) | |
| tree | 59a27dd7fb15e0680b9e1f1002934b0457d3cfdb | |
| parent | 47c34bd6ad49cae408b8d7c150c6f9f324aaddf5 (diff) | |
| download | uhttpd2-c186212a3075766717cab396a46242f110ee71bd.tar.gz | |
ubus: support GET method with CORS requests
Complex GET requests (e.g. those with custom headers) require browsers
to send preflight OPTIONS request with:
Access-Control-Request-Method: GET
It's important to reply to such requests with the header
Access-Control-Allow-Origin (and optionally others) to allow CORS
requests.
Adding GET to the Access-Control-Allow-Methods is cosmetical as
according to the Fetch standard:
> If request’s method is not in methods, request’s method is not a
> CORS-safelisted method, and request’s credentials mode is "include" or
> methods does not contain `*`, then return a network error.
It basically means that Access-Control-Allow-Methods value is ignored
for GET, HEAD and POST methods.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
| -rw-r--r-- | ubus.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -164,7 +164,7 @@ static void uh_ubus_add_cors_headers(struct client *cl) { char *hdr = (char *) blobmsg_data(tb[HDR_ACCESS_CONTROL_REQUEST_METHOD]); - if (strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS")) + if (strcmp(hdr, "GET") && strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS")) return; } @@ -175,7 +175,7 @@ static void uh_ubus_add_cors_headers(struct client *cl) ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n", blobmsg_get_string(tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS])); - ustream_printf(cl->us, "Access-Control-Allow-Methods: POST, OPTIONS\r\n"); + ustream_printf(cl->us, "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"); ustream_printf(cl->us, "Access-Control-Allow-Credentials: true\r\n"); } |