Fix cors preflight request (#1235)

This commit is contained in:
KonradStaniec 2022-09-21 17:28:15 +02:00 committed by GitHub
parent 51f3124717
commit a5dc16537e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 13 deletions

View File

@ -45,7 +45,8 @@ proc httpCors*(allowedOrigins: seq[Uri]): HttpAuthHook =
# this section shared by all http method
let origin = parseUri(origins[0])
let resp = req.getResponse()
if not allowedOrigins.containsOrigin(origin):
if not everyOriginAllowed and not allowedOrigins.containsOrigin(origin):
return await req.respond(Http403, "Origin not allowed")
if everyOriginAllowed:
@ -57,21 +58,29 @@ proc httpCors*(allowedOrigins: seq[Uri]): HttpAuthHook =
resp.addHeader("Vary", "Origin")
resp.addHeader("Access-Control-Allow-Origin", origins[0])
if req.meth == MethodOptions:
# Preflight request
let meth = resp.getHeader("Access-Control-Request-Method", "?")
if meth != "?":
# TODO: get actual methods supported by respective server
# e.g. JSON-RPC, GRAPHQL, ENGINE-API
resp.addHeader("Access-Control-Allow-Methods", "GET, POST")
resp.addHeader("Vary", "Access-Control-Request-Method")
let methods = req.headers.getList("Access-Control-Request-Method")
let heads = resp.getHeader("Access-Control-Request-Headers", "?")
if heads != "?":
# Check it this is preflight request
# There are three conditions to identify proper preflight request:
# - Origin header is present (we checked this earlier)
# - It uses OPTIONS method
# - It has Access-Control-Request-Method header
if req.meth == MethodOptions and len(methods) > 0:
# TODO: get actual methods supported by respective server
# e.g. JSON-RPC, GRAPHQL, ENGINE-API
resp.addHeader("Access-Control-Allow-Methods", "GET, POST")
resp.addHeader("Vary", "Access-Control-Request-Method")
# check headers
let headers = req.headers.getString("Access-Control-Request-Headers", "?")
if headers != "?":
# TODO: get actual headers supported by each server?
resp.addHeader("Access-Control-Allow-Headers", heads)
resp.addHeader("Access-Control-Allow-Headers", headers)
resp.addHeader("Vary", "Access-Control-Request-Headers")
return await req.respond(Http400)
# Response to preflight request should be in 200 range.
return await req.respond(Http204)
# other method such as POST or GET will fill
# the rest of response in server