summary refs log tree commit diff
path: root/scripts-dev/complement.sh
diff options
context:
space:
mode:
authorMichael[tm] Smith <mike@w3.org>2021-06-23 19:25:03 +0900
committerGitHub <noreply@github.com>2021-06-23 11:25:03 +0100
commit27c06a6e0699f92bcd02b9e930dc8191ab87305e (patch)
tree4b738f8cb781cc7b0c1d709b9d2c6815f42452cf /scripts-dev/complement.sh
parentFix schema delta to not take as long on large servers (#10227) (diff)
downloadsynapse-27c06a6e0699f92bcd02b9e930dc8191ab87305e.tar.xz
Drop Origin & Accept from Access-Control-Allow-Headers value (#10114)
* Drop Origin & Accept from Access-Control-Allow-Headers value

This change drops the Origin and Accept header names from the value of the
Access-Control-Allow-Headers response header sent by Synapse. Per the CORS
protocol, it’s not necessary or useful to include those header names.

Details:

Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin
is a “forbidden header name” set by the browser and that frontend
JavaScript code is never allowed to set.

So the value of Access-Control-Allow-Headers isn’t relevant to Origin or
in general to other headers set by the browser itself — the browser
never ever consults the Access-Control-Allow-Headers value to confirm
that it’s OK for the request to include an Origin header.

And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
Accept is a “CORS-safelisted request-header”, which means that browsers
allow requests to contain the Accept header regardless of whether the
Access-Control-Allow-Headers value contains "Accept".

So it’s unnecessary for the Access-Control-Allow-Headers to explicitly
include Accept. Browsers will not perform a CORS preflight for requests
containing an Accept request header.

Related: https://github.com/matrix-org/matrix-doc/pull/3225

Signed-off-by: Michael[tm] Smith <mike@w3.org>

Diffstat (limited to 'scripts-dev/complement.sh')
0 files changed, 0 insertions, 0 deletions