mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-11-18 04:29:55 -05:00
27c06a6e06
* Drop Origin & Accept from Access-Control-Allow-Headers value This change drops the Origin and Accept header names from the value of the Access-Control-Allow-Headers response header sent by Synapse. Per the CORS protocol, it’s not necessary or useful to include those header names. Details: Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: https://github.com/matrix-org/matrix-doc/pull/3225 Signed-off-by: Michael[tm] Smith <mike@w3.org> |
||
|---|---|---|
| .. | ||
| _scripts | ||
| api | ||
| app | ||
| appservice | ||
| config | ||
| crypto | ||
| events | ||
| federation | ||
| groups | ||
| handlers | ||
| http | ||
| logging | ||
| metrics | ||
| module_api | ||
| push | ||
| replication | ||
| res/templates | ||
| rest | ||
| server_notices | ||
| spam_checker_api | ||
| state | ||
| static | ||
| storage | ||
| streams | ||
| util | ||
| __init__.py | ||
| event_auth.py | ||
| notifier.py | ||
| python_dependencies.py | ||
| server.py | ||
| types.py | ||
| visibility.py | ||