Skip to content

Not Matched Preflight Request goes through the whole Rails stack #106

New issue
New issue
Closed
Closed
Not Matched Preflight Request goes through the whole Rails stack#106
@faragorn

Description

@faragorn
faragorn
opened on Jan 20, 2016

Server setup:

   config.middleware.insert_before 0, 'Rack::Cors' do
      allow do
        origins 'http://localhost:3001'
        resource '/api/*', headers: :any, methods: [:get, :delete, :put, :post, :options]
      end
    end

Preflight Request:

Request URL: http://localhost:3000/api/users
Request Method: OPTIONS
Origin: 'http://localhost:3002'
Access-Control-Request-Method: GET
Access-Control-Request-Header:

Server Responds:

404 Not Found (Routing Error)

It is a syntacticly valid preflight request, which is not allowed on the server side. It gets through the whole stack, instead of being denied.

I read other issues in this repo and it seems like this is desired behaviour. Or is it a bug?

In case if this is not a bug developers have to handle invalid preflight requests when it gets through the app stack and explicitly return whatever they want. The main problem for me is that request goes through the whole stack. It is pretty obvious that server should deny invalid Preflight Requests at the first place. Maybe being able to create custom responses for invalid preflight requests sounds like a convenient and not very intrusive solutions.

I still haven't finished reading the whole W3 Org spec. But definitely will get back to it and try to find suggested way of handling invalid preflights from the server side.

I have a possible solution(optional proc or something for custom handling of invalid preflight requests) and gonna create a PR soon.

Activity

dhampik

dhampik commented on Jul 2, 2016

@dhampik
dhampik
on Jul 2, 2016

Seems like it can be solved by adding

  match '*all', to: proc { [204, {}, ['']] }, via: :options

in the beginning of config/routes.rb which will cause all unprocessed (by rack-cors) options requests result in 204 No content
Maybe that's not the best way how to solve it, anyway, I think cors should be configured in nginx when possible.

JerryArns

JerryArns commented on Apr 11, 2017

@JerryArns
JerryArns
on Apr 11, 2017

I think Im having the same issue. Im using latest rails version on heroku. Angular, when sending post request with params, preflight options requests are causing rails to return 404 .

cyu
added a commit that references this issue on Jul 15, 2017

Don’t send failed preflight requests thru app

492244b
cyu
closed this as completedon Jul 15, 2017
cyu
mentioned this in 4 issues on Jul 15, 2017
itzsaga
mentioned this on May 12, 2020
dependabot
mentioned this on Mar 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @cyu@dhampik@JerryArns@faragorn

        Issue actions
          Not Matched Preflight Request goes through the whole Rails stack · Issue #106 · cyu/rack-cors