Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-6033

Allow CORS preflights

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2013-03-11
    • Fix Version/s: 2019-06-30
    • Component/s: Web service
    • Labels:
      None

      Description

      Currently we allow "simple" CORS requests as per MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.

      Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
      One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)

      We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
      (nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)

      We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
      Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bitmap Michael Wiencek
                Reporter:
                jonnyjd Johannes Dewender
              • Votes:
                3 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  2019-06-30