fix: handle CORS pre-flight requests correctly

PostgREST · Nov 16, 2023 · d781204 · d781204
1 parent 3c1a7f2
commit d781204
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
  - #3019, Transaction-Scoped Settings are now shown clearly in the Postgres logs - @laurenceisla
    + Shows `set_config('pgrst.setting_name', $1)` instead of `setconfig($1, $2)`
    + Does not apply to role settings and `app.settings.*`
+ - #3027
 
 ### Changed
 

diff --git a/src/PostgREST/Cors.hs b/src/PostgREST/Cors.hs
@@ -34,7 +34,7 @@ corsPolicy corsAllowedOrigins req = case lookup "origin" headers of
     , Wai.corsMaxAge = Just $ 60*60*24
     , Wai.corsVaryOrigin = False
     , Wai.corsRequireOrigin = False
-    , Wai.corsIgnoreFailures = True
+    , Wai.corsIgnoreFailures = ignoreFailures
     }
   Nothing -> Nothing
   where
@@ -44,3 +44,7 @@ corsPolicy corsAllowedOrigins req = case lookup "origin" headers of
        -- Impossible case, Middleware.Cors will not evaluate this when
        -- the Access-Control-Request-Headers header is not set.
       Nothing   -> []
+    -- The library makes "OPTIONS" requests fail when the "Origin" header is present
+    -- and when "Access-Control-Request-Method" is not. We want to pass this through
+    isOptions = Wai.requestMethod req == "OPTIONS"
+    ignoreFailures = isOptions && isNothing (lookup "access-control-request-method" headers)