You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is an interesting point you made. I read again the W3C specs, regarding the origin (for both actual and pre-flight requests):
If the value of the Origin header is not a case-sensitive match for any of the values in list of origins do not set any additional headers and terminate this set of steps. §6.1.2 and §6.2.2
I am not sure how to interpret this sentence? Should we stop the complete request handling or just the "cors part"?
I looked at other implementations and it seems these projects are also rejecting the request:
in https://github.com/lomigmegard/akka-http-cors/blob/master/akka-http-cors/src/main/scala/ch/megard/akka/http/cors/CorsDirectives.scala#L126
Non preflight request is being rejected because it came from an unknown origin
correct behaviour: Non preflight requests from unknown origins should not be rejected
The text was updated successfully, but these errors were encountered: