Skip to content

CORS should not allow wildcard and a specific method #3647

New issue
New issue
Closed
Bug
#3667
Closed
CORS should not allow wildcard and a specific method#3647
Bug
#3667
Assignees
EyalPazz
Labels
kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
Milestone
v1.3.0
@howardjohn

Description

@howardjohn
howardjohn
opened on Feb 28, 2025

Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods, there are two valid options:

Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *

This implies you cannot have Access-Control-Allow-Methods: GET,*. You probably shouldn't anyways.

It probably makes sense to allow a single entry only if one is a wildcard.

Note the link is not an RFC, but the RFCs seem super vague here

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

Bug

Projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions