Page MenuHomeSoftware Heritage

settings/common: Set CORS headers for api paths
ClosedPublic

Authored by anlambert on Nov 6 2020, 4:29 PM.

Diff Detail

Repository
rDWAPPS Web applications
Branch
api-cors-headers
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 16928
Build 26116: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 26115: arc lint + arc unit

Event Timeline

Can we add a check for the OPTIONS request that was failing initially?

Endpoint : /api/1/known/
Method: OPTIONS
Headers:

  • Origin: null
  • Access-Control-Request-Method: POST
  • Access-Control-Request-Headers: Content-Type

Build has FAILED

Patch application report for D4441 (id=15713)

Rebasing onto bee0470c26...

Current branch diff-target is up to date.
Changes applied before test
commit 540f398bcd7a5a9bcced8a208e20b579b9fc72e1
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Fri Nov 6 16:27:10 2020 +0100

    settings/common: Set CORS headers for api paths

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/458/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/458/console

Rebase and add test for OPTIONS request

This revision is now accepted and ready to land.Nov 6 2020, 5:04 PM

Build is green

Patch application report for D4441 (id=15716)

Rebasing onto 9940eee372...

Current branch diff-target is up to date.
Changes applied before test
commit 1fe4ad7bc050e013184b670cf9eee6ee48a62973
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Fri Nov 6 16:27:10 2020 +0100

    settings/common: Set CORS headers for api paths

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/460/ for more details.

Rebase and add test for OPTIONS request

The test for the OPTIONS pre-flight request isn't sending the headers that would actually be sent by a valid pre-flight request, nor whether the response contains the needed headers to validate it.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Examples_of_access_control_scenarios > pre-flighted requests

The OPTIONS need Access-Control-Request-Method and Access-Control-Request-Headers set to relevant values, and needs to check the response for matching Access-Control-Allow-Methods and Access-Control-Allow-Headers values.