Skip to content

Change Request: Ensure all CORS errors are represented #27

New issue
New issue
Open
Feature
Open
Change Request: Ensure all CORS errors are represented#27
Feature
Labels
enhancementNew feature or request
@nzakas

Description

@nzakas
nzakas
opened on Jan 29, 2025

What problem do you want to solve?

I'd like to ensure the CORS implementation is as complete as possible.

What do you think is the correct solution?

A good way to do that is to ensure that each of the known errors are created by Mentoss.

Chrome Errors:
https://cors-errors.info/error-messages

  • No 'Access-Control-Allow-Origin' header is present on the requested resource.
  • The 'Access-Control-Allow-Origin' header has a value 'http://example.com' that is not equal to the supplied origin.
  • The 'Access-Control-Allow-Origin' header contains multiple values 'http://example.com, http://localhost:8080', but only one is allowed.
  • The 'Access-Control-Allow-Origin' header contains the invalid value 'xyz'.
  • The Same Origin Policy disallows reading the remote resource at ‘http://localhost:3000/safe-ok’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’)
  • The Same Origin Policy disallows reading the remote resource at http://localhost:3000/explicit-ok. (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’)
  • Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
  • Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://example.com' that is not equal to the supplied origin.
  • Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'http://example.com, http://localhost:8080', but only one is allowed.
  • Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains the invalid value 'xyz'.
  • Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
  • Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.
  • Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
  • Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
  • Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
  • Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
  • Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
  • Redirect location '' contains a username and password, which is disallowed for cross-origin requests.

Firefox Errors:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors

Participation

  • I am willing to submit a pull request for this change.

Additional comments

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions