-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS: always returning access-control-allow-origin: *
#8231
Comments
access-control-allow-origin: *
@wkloucek big 🤦 moment ... see cs3org/reva#4461 Somebody ™️ added a custom CORS handling for the DAV handler which overwrote the CORS middleware. |
P2 because it blocks the Web Embed mode from another domain. @JammingBen FYI |
Uff, seems like it could deserve some automated tests. |
Yes. Preflight requests were working fine. |
I added some tests for that #8254 |
I see this as a P1 |
New finding: It works correctly with OCS, the test expectations are wrong. The golang implementation is interpreting the CORS as in a way that only the needed values for |
Isn't that exactly how CORS work!? From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin:
|
The tests were expecting something different. Need to fix the tests. |
Describe the bug
I'm configuring
OCIS_CORS_ALLOW_ORIGINS
tohttp://localhost:8080
Steps to reproduce
origin: http://localhost:8080
and in verbose mode-vv
Expected behavior
We have following header in the response:
access-control-allow-origin: http://localhost:8080
Actual behavior
We have following header in the response:
access-control-allow-origin: *
Setup
oCIS 5.0.0-rc.2
Additional context
was supposed to fixed in #5108 ?
The text was updated successfully, but these errors were encountered: