anonymousland-synapse/synapse
Michael[tm] Smith 27c06a6e06
Drop Origin & Accept from Access-Control-Allow-Headers value (#10114)
* Drop Origin & Accept from Access-Control-Allow-Headers value

This change drops the Origin and Accept header names from the value of the
Access-Control-Allow-Headers response header sent by Synapse. Per the CORS
protocol, it’s not necessary or useful to include those header names.

Details:

Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin
is a “forbidden header name” set by the browser and that frontend
JavaScript code is never allowed to set.

So the value of Access-Control-Allow-Headers isn’t relevant to Origin or
in general to other headers set by the browser itself — the browser
never ever consults the Access-Control-Allow-Headers value to confirm
that it’s OK for the request to include an Origin header.

And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
Accept is a “CORS-safelisted request-header”, which means that browsers
allow requests to contain the Accept header regardless of whether the
Access-Control-Allow-Headers value contains "Accept".

So it’s unnecessary for the Access-Control-Allow-Headers to explicitly
include Accept. Browsers will not perform a CORS preflight for requests
containing an Accept request header.

Related: https://github.com/matrix-org/matrix-doc/pull/3225

Signed-off-by: Michael[tm] Smith <mike@w3.org>
2021-06-23 11:25:03 +01:00
..
_scripts Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
api Add endpoints for backfilling history (MSC2716) (#9247) 2021-06-22 10:02:53 +01:00
app Ensure that errors during startup are written to the logs and the console. (#10191) 2021-06-21 11:41:25 +01:00
appservice Implement knock feature (#6739) 2021-06-09 19:39:51 +01:00
config Warn users trying to use the deprecated spam checker interface (#10210) 2021-06-22 12:24:10 +02:00
crypto When joining a remote room limit the number of events we concurrently check signatures/hashes for (#10117) 2021-06-08 11:07:46 +01:00
events Add endpoints for backfilling history (MSC2716) (#9247) 2021-06-22 10:02:53 +01:00
federation Expose opentracing trace id in response headers (#10199) 2021-06-18 11:43:22 +01:00
groups Rewrite the KeyRing (#10035) 2021-06-02 16:37:59 +01:00
handlers Add endpoints for backfilling history (MSC2716) (#9247) 2021-06-22 10:02:53 +01:00
http Drop Origin & Accept from Access-Control-Allow-Headers value (#10114) 2021-06-23 11:25:03 +01:00
logging Expose opentracing trace id in response headers (#10199) 2021-06-18 11:43:22 +01:00
metrics opentracing: use a consistent name for background processes (#10135) 2021-06-07 17:57:49 +01:00
module_api Standardise the module interface (#10062) 2021-06-18 12:15:52 +01:00
push Split multiplart email sending into a dedicated handler (#9977) 2021-05-17 12:33:38 +02:00
replication update black to 21.6b0 (#10197) 2021-06-17 15:20:06 +01:00
res/templates Port "Allow users to click account renewal links multiple times without hitting an 'Invalid Token' page #74" from synapse-dinsic (#9832) 2021-04-19 19:16:34 +01:00
rest Add endpoints for backfilling history (MSC2716) (#9247) 2021-06-22 10:02:53 +01:00
server_notices Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
spam_checker_api Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
state Use get_current_users_in_room from store and not StateHandler (#9910) 2021-05-05 16:49:34 +01:00
static Add initial support for a "pick your IdP" page (#9017) 2021-01-05 11:25:28 +00:00
storage Fix schema delta to not take as long on large servers (#10227) 2021-06-22 12:00:45 +01:00
streams Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
util Standardise the module interface (#10062) 2021-06-18 12:15:52 +01:00
__init__.py 1.36.0 2021-06-15 15:42:02 +01:00
event_auth.py Implement knock feature (#6739) 2021-06-09 19:39:51 +01:00
notifier.py Improve opentracing annotations for Notifier (#10111) 2021-06-03 16:01:30 +01:00
python_dependencies.py Remove support for ACME v1 (#10194) 2021-06-17 18:56:48 +01:00
server.py Standardise the module interface (#10062) 2021-06-18 12:15:52 +01:00
types.py Ensure that we do not cache empty sync responses after a timeout (#10158) 2021-06-17 16:23:11 +01:00
visibility.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00