Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not Matched Preflight Request goes through the whole Rails stack #106

Closed
faragorn opened this issue Jan 20, 2016 · 2 comments
Closed

Not Matched Preflight Request goes through the whole Rails stack #106

faragorn opened this issue Jan 20, 2016 · 2 comments

Comments

@faragorn
Copy link

Server setup:

   config.middleware.insert_before 0, 'Rack::Cors' do
      allow do
        origins 'http://localhost:3001'
        resource '/api/*', headers: :any, methods: [:get, :delete, :put, :post, :options]
      end
    end

Preflight Request:

Request URL: http://localhost:3000/api/users
Request Method: OPTIONS
Origin: 'http://localhost:3002'
Access-Control-Request-Method: GET
Access-Control-Request-Header:

Server Responds:

404 Not Found (Routing Error)

It is a syntacticly valid preflight request, which is not allowed on the server side. It gets through the whole stack, instead of being denied.

I read other issues in this repo and it seems like this is desired behaviour. Or is it a bug?

In case if this is not a bug developers have to handle invalid preflight requests when it gets through the app stack and explicitly return whatever they want. The main problem for me is that request goes through the whole stack. It is pretty obvious that server should deny invalid Preflight Requests at the first place. Maybe being able to create custom responses for invalid preflight requests sounds like a convenient and not very intrusive solutions.

I still haven't finished reading the whole W3 Org spec. But definitely will get back to it and try to find suggested way of handling invalid preflights from the server side.

I have a possible solution(optional proc or something for custom handling of invalid preflight requests) and gonna create a PR soon.
@dhampik
Copy link

dhampik commented Jul 2, 2016

Seems like it can be solved by adding

  match '*all', to: proc { [204, {}, ['']] }, via: :options

in the beginning of config/routes.rb which will cause all unprocessed (by rack-cors) options requests result in 204 No content
Maybe that's not the best way how to solve it, anyway, I think cors should be configured in nginx when possible.

@JerryArns
Copy link

I think Im having the same issue. Im using latest rails version on heroku. Angular, when sending post request with params, preflight options requests are causing rails to return 404 .

cyu added a commit that referenced this issue Jul 15, 2017
@cyu
Don’t send failed preflight requests thru app
492244b 
[Fixes #106]
@cyu cyu closed this as completed Jul 15, 2017
This was referenced Jul 15, 2017
Closed
Closed
Closed
Closed
@itzsaga itzsaga mentioned this issue May 12, 2020
Merged
@dependabot dependabot bot mentioned this issue Mar 13, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cyu @dhampik @JerryArns @faragorn