-
-
Notifications
You must be signed in to change notification settings - Fork 953
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HEAD to CORS ALL_METHODS list #1112
Conversation
The HEAD method is conspicuously absent from the allowed methods list when `allow_methods="*"` is used. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the browser, but it does prevent the actual cross-origin HEAD response from being read by the calling app. [This can catch people off-guard.](https://discuss.encode.io/t/for-cors-middleware-why-is-head-not-included-in-all-methods/939) This simply adds HEAD to the `ALL_METHODS` list in the CORS middleware module and includes some additional tests to validate the new behavior.
It does seem to be specified in the spec. https://fetch.spec.whatwg.org/ Do you know of any reason it might have been missing? |
Nope, I just discovered it when I found that the |
… check Co-authored-by: euri10 <euri10@users.noreply.github.com>
Hmm, this one's failing in the same way as #1111 with I think errors in the database code. |
@euri10 I forgot about this one. Looks like tests are passing now. |
The HEAD method is conspicuously absent from the allowed methods list when
allow_methods="*"
isused. This doesn't really affect CORS preflight requests, as HEAD requests aren't preflighted by the
browser, but it does prevent the actual cross-origin HEAD response from being read by the calling
app.
This can catch people off-guard.
This simply adds HEAD to the
ALL_METHODS
list in the CORS middleware module and includes someadditional tests to validate the new behavior.