Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard in Access-Control-Allow-Headers will not cover Authorization Header #81

Closed
alphafalcon opened this issue Mar 25, 2025 · 2 comments
Closed

Wildcard in Access-Control-Allow-Headers will not cover Authorization Header #81

alphafalcon opened this issue Mar 25, 2025 · 2 comments
Labels
bug Something isn't working enhancement New feature or request

Comments

@alphafalcon
Copy link

Followup to #77
I'm now getting a deprecation warnings in the electron console that

Authorization will not be covered by the wildcard symbol (*) in CORS Access-Control-Allow-Headers handling.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Headers#sect states that

The value * only counts as a special wildcard value for requests without credentials

For now, everything is working, but it's possible that things might break unexpectedly.
Returning the content of Access-Control-Request-Headers in Access-Control-Allow-Headers should satisfy every client.

Please note, I'm not a web dev, so take my theories with the needed skepticism
mostlygeek added a commit that referenced this issue Mar 25, 2025
@mostlygeek
Refactor wildcard out of CORS headers (#81)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
84e2c07 
Changes to CORS functionality: 

- `Access-Control-Allow-Origin: *` is set for all requests 
- for pre-flight OPTIONS requests
  - specify methods: `Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS`
  - if the client sent `Access-Control-Request-Headers` then echo back the same value in `Access-Control-Allow-Headers`. If no `Access-Control-Request-Headers` were sent, then send back a default set
  - set `Access-Control-Max-Age: 86400` to that may improve performance 
- Add CORS tests to the proxy-manager
@mostlygeek
Copy link
Owner

Thanks for looking into this. I refactored this code in #83 and now llama-swap will echo back whatever was asked for in Access-Control-Request-Headers. This should also address the issue in #77 as well.

@mostlygeek mostlygeek added bug Something isn't working enhancement New feature or request labels Mar 25, 2025
@mostlygeek
Copy link
Owner

Release the updated code in v99.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mostlygeek @alphafalcon