- Notifications
You must be signed in to change notification settings - Fork3.1k
disable basic authentication for HTTP OPTIONS for CORS#1176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
vemonet commentedSep 13, 2021 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Is there any plan on accepting this fix? We are having the same issue to use CORS + basic nginx Auth, and it's quite cumbersome to re-build everything for one missing line! Thanks a lot!@buchdag |
I'm not sure this should be accepted. When configuring http basic authentication, by default I would expectall requests to only be forwarded after authentication; that way no data can be accidentally leaked to unauthenticated clients. IMO if any request is excluded from this, it should at least be documented in the README. Perhaps it should also be hidden behind a feature flag / environment variable. |
Uh oh!
There was an error while loading.Please reload this page.
This is to make CORS to work together with basic authentication. OPTIONS should not be restricted as browsers don't send the auth bearer for pre-flight requests