Skip to content

return_error does handle handle cors errors #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
itsramiel opened this issue Mar 8, 2023 · 1 comment
Open

return_error does handle handle cors errors #4

itsramiel opened this issue Mar 8, 2023 · 1 comment

Comments

@itsramiel
Copy link

At the end of ch3, the author explained how to handle cors errors and provide a custom error message back to the client.

The following code was added inside return_error to handle CorsForbidden cors errors, but the return_error never really gets called when there is such an error.

I believe it is because the recover filter is chained before adding the cors filters.

Sorry if I used the wrong terms. I am in the learning process
@itsramiel itsramiel mentioned this issue Mar 8, 2023
Closed
@h0pes
Copy link

h0pes commented Mar 26, 2023

Yes, I noticed the same behavior.
It looks like cors doesn't catch allow_header("not-in-the-request") and allow_any_origin method filters, because I get the following response from the web server with this request:

$ curl -X OPTIONS localhost:3030/questions \                                                       Sun 13:35
      -H "Access-Control-Request-Method: PUT" \
      -H "Access-Control-Request-Header: content-type" \
      -H "Origin: https://not-origin.io" -verbose
*   Trying 127.0.0.1:3030...
* Connected to localhost (127.0.0.1) port 3030 (#0)
> OPTIONS /questions HTTP/1.1
> Host: localhost:3030
> User-Agent: curl/8.0.1
> Accept: */*
> Referer: rbose
> Access-Control-Request-Method: PUT
> Access-Control-Request-Header: content-type
> Origin: https://not-origin.io
> 
< HTTP/1.1 200 OK
< access-control-allow-headers: not-in-the-request
< access-control-allow-methods: POST, DELETE, PUT, GET
< access-control-allow-origin: https://not-origin.io
< content-length: 0
< date: Sun, 26 Mar 2023 11:36:07 GMT
< 
* Connection #0 to host localhost left intact

It seems the allow_methods filter works fine though, as if I remove one (PUT in this case) of the allowed http verbs and make a request using it, I got:

*   Trying 127.0.0.1:3030...
* Connected to localhost (127.0.0.1) port 3030 (#0)
> OPTIONS /questions HTTP/1.1
> Host: localhost:3030
> User-Agent: curl/8.0.1
> Accept: */*
> Referer: rbose
> Access-Control-Request-Method: PUT
> Access-Control-Request-Header: content-type
> Origin: https://not-origin.io
> 
< HTTP/1.1 403 Forbidden
< content-type: text/plain; charset=utf-8
< content-length: 50
< date: Sun, 26 Mar 2023 11:42:45 GMT
< 
* Connection #0 to host localhost left intact
CORS request forbidden: request-method not allowed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h0pes @itsramiel