MatrixSynapse/synapse/http
Michael[tm] Smith 27c06a6e06
Drop Origin & Accept from Access-Control-Allow-Headers value (#10114)
* Drop Origin & Accept from Access-Control-Allow-Headers value

This change drops the Origin and Accept header names from the value of the
Access-Control-Allow-Headers response header sent by Synapse. Per the CORS
protocol, it’s not necessary or useful to include those header names.

Details:

Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin
is a “forbidden header name” set by the browser and that frontend
JavaScript code is never allowed to set.

So the value of Access-Control-Allow-Headers isn’t relevant to Origin or
in general to other headers set by the browser itself — the browser
never ever consults the Access-Control-Allow-Headers value to confirm
that it’s OK for the request to include an Origin header.

And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
Accept is a “CORS-safelisted request-header”, which means that browsers
allow requests to contain the Accept header regardless of whether the
Access-Control-Allow-Headers value contains "Accept".

So it’s unnecessary for the Access-Control-Allow-Headers to explicitly
include Accept. Browsers will not perform a CORS preflight for requests
containing an Accept request header.

Related: https://github.com/matrix-org/matrix-doc/pull/3225

Signed-off-by: Michael[tm] Smith <mike@w3.org>
2021-06-23 11:25:03 +01:00
..
federation Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
__init__.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
additional_resource.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
client.py Use ijson to parse the response to `/send_join`, reducing memory usage. (#9958) 2021-05-20 16:11:48 +01:00
connectproxyclient.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
matrixfederationclient.py Fix 'ip_range_whitelist' not working for federation servers (#10115) 2021-06-15 08:53:55 +01:00
proxyagent.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
request_metrics.py Remove redundant "coding: utf-8" lines (#9786) 2021-04-14 15:34:27 +01:00
server.py Drop Origin & Accept from Access-Control-Allow-Headers value (#10114) 2021-06-23 11:25:03 +01:00
servlet.py update black to 21.6b0 (#10197) 2021-06-17 15:20:06 +01:00
site.py Log method and path when dropping request due to size limit (#10091) 2021-05-28 16:29:09 +01:00