https://kotlinlang.org logo
Channels
Powered by
#ktor
Title
# ktor
m

Marc Knaup

09/26/2019, 1:53 PM
Uhm, why has the list of headers allowed by default for CORS requests been reduced in a patch update of Ktor? That caused quite some unexpected CORS issues which took time to solve…
c

cy

09/26/2019, 1:54 PM
Because it was a bug
Several headers were accidentally allowed for wrong direction, sorry
m

Marc Knaup

09/26/2019, 1:56 PM
Yet it’s quite a major change! At least there should be much more info in the release notes than a simple “Server CORS support fixed and improved”. 
Content-Type: application/json
is quite common to use. Yet it’s no longer accepted after a patch update 😕
c

cy

09/26/2019, 1:56 PM
And this is correct according to the specification.
Actually it is noticed in the changelog
Copy code
Breaking changes/Migration steps:

    CORS doesn't allow non-simple request body content types anymore by default
        to allow extra content types such as json, enable allowNonSimpleContentTypes
Sorry for confusion, it should be copied to other lists as well
m

Marc Knaup

09/26/2019, 1:58 PM
Argh, read over that somehow. Thanks. Still, it’s a patch update breaking a major use case (even if it was just allowed through a bug). Could’ve been fixed with 1.3.x too.
c

cy

09/26/2019, 2:02 PM
This is done in a patch release because of the security impact so shouldn't be delayed for so long
3 Views
Powered by