Taffy icon indicating copy to clipboard operation
Taffy copied to clipboard
verified publisher icon atuttle

Possible issue with duplicate headers in CORS / not respecting allowCrossDomain = False

Open chopki opened this issue 5 years ago • 0 comments

CF 2016 / Taffy 3.1 / Java 15.0.1

https://github.com/atuttle/Taffy/blob/3cefedfa5b85d1c023102559584f20e3bfd4ba7b/core/api.cfc#L249

When running an API that had only some resources available for CORS setting the global allowCrossDomain = false caused Access-Control-Allow-Headers to be output twice as i was sorting the cors like the below.

Presumably the line of code in the api.cfc is set up to check the length of allowCrossDomain as you can put in a list of domains, but with false also being treated as a string it also then passes this check.

Its not a huge issues and the workaround was to set allowCrossDomain to an empty string - Running taffy 3.1.

	<cffunction name="options">
		<cfset var loc = {} >

		<cfset loc.headers = {
			"Access-Control-Allow-Origin" = "*"
			,"Access-Control-Allow-Headers" = "Origin,Authorization,X-CSRF-Token,X-Requested-With,Content-Type,X-HTTP-Method-Override,Accept,Referrer,User-Agent,X-Custom-Header"
		}>
		
		<cfreturn
			noData()
			.withHeaders(loc.headers)
		/>
	</cffunction>

chopki avatar Feb 25 '21 14:02 chopki