Uhm why has the list of headers allowed by default for CORS kotlinlang #ktor

Uhm, why has the list of headers allowed by defaul...

Marc Knaup

09/26/2019, 1:53 PM

Uhm, why has the list of headers allowed by default for CORS requests been reduced in a patch update of Ktor? That caused quite some unexpected CORS issues which took time to solve…

09/26/2019, 1:54 PM

Because it was a bug

09/26/2019, 1:55 PM

Several headers were accidentally allowed for wrong direction, sorry

Marc Knaup

09/26/2019, 1:56 PM

Yet it’s quite a major change! At least there should be much more info in the release notes than a simple “Server CORS support fixed and improved”.

Content-Type: application/json

is quite common to use. Yet it’s no longer accepted after a patch update 😕

09/26/2019, 1:56 PM

And this is correct according to the specification.

09/26/2019, 1:57 PM

Actually it is noticed in the changelog

09/26/2019, 1:57 PM

Copy code

Breaking changes/Migration steps:

    CORS doesn't allow non-simple request body content types anymore by default
        to allow extra content types such as json, enable allowNonSimpleContentTypes

09/26/2019, 1:58 PM

Sorry for confusion, it should be copied to other lists as well

Marc Knaup

09/26/2019, 1:58 PM

Argh, read over that somehow. Thanks. Still, it’s a patch update breaking a major use case (even if it was just allowed through a bug). Could’ve been fixed with 1.3.x too.

09/26/2019, 2:02 PM

This is done in a patch release because of the security impact so shouldn't be delayed for so long

3 Views

Open in Slack

Previous Next