HomePhabricator

Only return CORS headers in the response as required

Description

Only return CORS headers in the response as required

  • Split out responses of preflight and actual CORS requests
  • If the request is not CORS valid, don't set the CORS response headers

Note that invalid CORS requests should not actually throw error
responses, the client should simply not handle the response because the
response does not have the right headers (it's a client side policy
error not an http error). We do throw a 403 for a mismatch with the
queryparam, but since that is 'outside' of the spec, that might be
appropriate.

Bug: T76701
Change-Id: Ib296c68babe5c0b380268ee7793b3d6d35b9c3e3

Details