Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-6033

Allow CORS preflights

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: High High
    • 2019-06-30
    • 2013-03-11
    • Web service
    • None

      Currently we allow "simple" CORS requests as per MBS-2979. These don't use authentication, additional headers and use simple Content-type. They don't need any preflights and work fine.

      Some clients make preflight requests though. Sometimes these are bugs, sometimes they support a wider range of servers with the same code.
      One of these clients currently not working unpatched is swagger https://developers.helloreverb.com/swagger/ (see MBS-5307)

      We should handle preflight requests as per http://www.w3.org/TR/cors/#resource-preflight-requests
      (nice graphic in http://www.html5rocks.com/static/images/cors_server_flowchart.png)

      We still don't allow submitting data per CORS. So no authentication/credentials and only the GET method.
      Adding this feature wouldn't be a problem, but a potential security issue (malicious sites use a user-login)

            bitmap Michael Wiencek
            jonnyjd Johannes Dewender
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Version Package
                2019-06-30