• Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: High High
    • 2019-06-30
    • 2013-03-11
    • Web service
    • None

      Currently we allow "simple" CORS requests as per MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.

      Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
      One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)

      We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
      (nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)

      We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
      Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)

          Loading...

            • Icon: Improvement Improvement
            • Resolution: Fixed
            • Icon: High High
            • 2019-06-30
            • 2013-03-11
            • Web service
            • None

              Currently we allow "simple" CORS requests as per MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.

              Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
              One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)

              We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
              (nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)

              We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
              Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)

                    bitmap Michael Wiencek
                    jonnyjd Johannes Dewender
                    Votes:
                    3 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                      Created:
                      Updated:
                      Resolved:

                        Version Package
                        2019-06-30

                          bitmap Michael Wiencek
                          jonnyjd Johannes Dewender
                          Votes:
                          3 Vote for this issue
                          Watchers:
                          4 Start watching this issue

                            Created:
                            Updated:
                            Resolved:

                              Version Package
                              2019-06-30