Opened on 02/09/2019 at 11:26:20 AM
Closed on 08/29/2019 at 05:43:18 PM
#7269 closed change (rejected)
Do not rewrite preflight OPTIONS requests
Reported by: | mjethani | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Platform | Keywords: | circumvention, closed-in-favor-of-gitlab |
Cc: | sebastian, kzar, hfiguiere, agiammarchi | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
Background
When the browser wants to send a cross-origin request, it first checks with the server whether the server understands CORS using a preflight request. This is an OPTIONS request that the browser sends automatically. Once the server responds with the appropriate methods with the Access-Control-Allow-Methods header, the browser makes the actual GET or POST request.
When we rewrite a URL using the $rewrite option, we want to rewrite the URL for the actual GET or POST request, not the OPTIONS request, because if we do this the call fails and the site resorts to other ways to show ads.
What to change
In lib/requestBlocker.js, rewrite the URL only if the method is not OPTIONS.
Attachments (0)
Change History (5)
comment:2 Changed on 02/09/2019 at 11:29:44 AM by mjethani
- Cc hfiguiere added
comment:3 Changed on 02/10/2019 at 12:20:21 PM by mjethani
- Cc agiammarchi added
comment:4 in reply to: ↑ description Changed on 02/10/2019 at 12:30:57 PM by mjethani
comment:5 Changed on 08/29/2019 at 05:43:18 PM by sebastian
- Keywords closed-in-favor-of-gitlab added
- Resolution set to rejected
- Status changed from new to closed
Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.
Replying to mjethani:
I'm not sure about this actually, for the case that we are investigating.
Also, not rewriting the preflight OPTIONS request would leak information to the server, which is perhaps why the rewrite filter exists in the first place.