Uhm, why has the list of headers allowed by defaul...
# ktor
m
Uhm, why has the list of headers allowed by default for CORS requests been reduced in a patch update of Ktor? That caused quite some unexpected CORS issues which took time to solve…
c
Because it was a bug
Several headers were accidentally allowed for wrong direction, sorry
m
Yet it’s quite a major change! At least there should be much more info in the release notes than a simple “Server CORS support fixed and improved”.
Content-Type: application/json
is quite common to use. Yet it’s no longer accepted after a patch update 😕
c
And this is correct according to the specification.
Actually it is noticed in the changelog
Copy code
Breaking changes/Migration steps:

    CORS doesn't allow non-simple request body content types anymore by default
        to allow extra content types such as json, enable allowNonSimpleContentTypes
Sorry for confusion, it should be copied to other lists as well
m
Argh, read over that somehow. Thanks. Still, it’s a patch update breaking a major use case (even if it was just allowed through a bug). Could’ve been fixed with 1.3.x too.
c
This is done in a patch release because of the security impact so shouldn't be delayed for so long