Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [Bug]: CORS middleware misclassifies all OPTIONS requests as preflight requests #2920

Closed
3 tasks done
jub0bs opened this issue Mar 17, 2024 · 1 comment · Fixed by #2921
Closed
3 tasks done

🐛 [Bug]: CORS middleware misclassifies all OPTIONS requests as preflight requests #2920

jub0bs opened this issue Mar 17, 2024 · 1 comment · Fixed by #2921
Assignees
@gaby @sixcolors
Labels
☢️ Bug

Comments

@jub0bs
Copy link

jub0bs commented Mar 17, 2024
edited
Loading

Bug Description

Fiber's CORS middleware misclassifies all OPTIONS requests as preflight requests, thereby unduly preventing requests from hitting user-registered OPTIONS endpoints. I've discussed the general problem on my personal blog.

How to Reproduce

Start the server, then exercise it by sending the OPTIONS requests resulting from the following two curl commands:

curl -v -XOPTIONS \
  localhost:8080/hello
curl -v -XOPTIONS \
  -H "Origin: https://example.com" \
  localhost:8080/hello

According to the Fetch standard, neither request is a preflight request, because

  • the first one lacks both an Origin header and an Access-Control-Request-Method header, and
  • the second one lacks an Access-Control-Request-Method header.

However, those requests get interpreted as preflight requests and handled by the CORS middleware rather than by the handler registered on OPTIONS /hello:

HTTP/1.1 204 No Content
Date: [REDACTED]
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT

Expected Behavior

The first two aforementioned OPTIONS requests should get through the CORS middleware, exercise the handler registered on /hello, and get a response of this kind:

HTTP/1.1 204 No Content
Allow: GET, OPTIONS
Date: [REDACTED]

Fiber Version

v2.52.2

Code Snippet

package main

import (
	"log"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()

	app.Use(cors.New(cors.Config{
		AllowOrigins: "*",
		AllowMethods: fiber.MethodPut,
	}))

	app.Use(func(c *fiber.Ctx) error {
		if c.Is("json") {
			return c.Next()
		}
		return c.SendString("Only JSON allowed!")
	})

	app.Get("/hello", func(c *fiber.Ctx) error {
		return c.JSON(fiber.Map{
			"message": "Hello, World!",
		})
	})

	app.Options("/hello", func(c *fiber.Ctx) error {
		c.Set("Allow", "GET, OPTIONS")
		return c.SendStatus(fiber.StatusNoContent)
	})

	log.Fatal(app.Listen(":8080"))
}

Checklist:

  • I agree to follow Fiber's Code of Conduct.
  • I have checked for existing issues that describe my problem prior to opening this one.
  • I understand that improperly formatted bug reports may be closed without explanation.
@gaby gaby changed the title 🐛 [Bug]: the CORS middleware misclassifies all OPTIONS requests as preflight requests 🐛 [Bug]: CORS middleware misclassifies all OPTIONS requests as preflight requests Mar 17, 2024
@sixcolors
Copy link
Member

Options request without Origin fixed by #2915

Bug report applies for missing Access-Control-Request-Method header.

@sixcolors sixcolors mentioned this issue Mar 17, 2024
Merged
@ReneWerner87 ReneWerner87 mentioned this issue Mar 26, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gaby gaby

@sixcolors sixcolors

Labels
☢️ Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(middleware/cors): Categorize requests correctly gofiber/fiber
3 participants
@gaby @sixcolors @jub0bs