From c186212a3075766717cab396a46242f110ee71bd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Mon, 21 Sep 2020 16:16:23 +0200 Subject: [PATCH] ubus: support GET method with CORS requests MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Complex GET requests (e.g. those with custom headers) require browsers to send preflight OPTIONS request with: Access-Control-Request-Method: GET It's important to reply to such requests with the header Access-Control-Allow-Origin (and optionally others) to allow CORS requests. Adding GET to the Access-Control-Allow-Methods is cosmetical as according to the Fetch standard: > If request’s method is not in methods, request’s method is not a > CORS-safelisted method, and request’s credentials mode is "include" or > methods does not contain `*`, then return a network error. It basically means that Access-Control-Allow-Methods value is ignored for GET, HEAD and POST methods. Signed-off-by: Rafał Miłecki --- ubus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ubus.c b/ubus.c index 1cf5c5f..39b38b2 100644 --- a/ubus.c +++ b/ubus.c @@ -164,7 +164,7 @@ static void uh_ubus_add_cors_headers(struct client *cl) { char *hdr = (char *) blobmsg_data(tb[HDR_ACCESS_CONTROL_REQUEST_METHOD]); - if (strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS")) + if (strcmp(hdr, "GET") && strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS")) return; } @@ -175,7 +175,7 @@ static void uh_ubus_add_cors_headers(struct client *cl) ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n", blobmsg_get_string(tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS])); - ustream_printf(cl->us, "Access-Control-Allow-Methods: POST, OPTIONS\r\n"); + ustream_printf(cl->us, "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"); ustream_printf(cl->us, "Access-Control-Allow-Credentials: true\r\n"); } -- 2.30.2