My problem with Cors POST requests
Just encountered a weird "bug" in the CORS protocol.
One of my POST request endpoints accepts a multipart form as content type. In local development the front-end sending the request exists on a different origin.
Because of the different origin I expected a blocking response to be send though the cross-origin resource sharing mechanism (cors) by the back-end managing the endpoint. The back-end is a Spring boot application. Turns out that the back-end fully processed the form data and send back a 200 Ok response... The only thing good thing that happened is that the front-end didn't display the response because of a missing [Access-Control-Allow-Origin] header.
After reading a clearer guide on CORS that a POST request with a multipart form as content is not blocked through CORS by design... If it was send with a PUT request a proper blocking response would be generated.
In my case the request added entities to the database. Not really desirable with data from unexpected sources.
So better configure your @CrossOrigin resource sharing for each endpoint that accepts POST requests of content types:
One of my POST request endpoints accepts a multipart form as content type. In local development the front-end sending the request exists on a different origin.
Because of the different origin I expected a blocking response to be send though the cross-origin resource sharing mechanism (cors) by the back-end managing the endpoint. The back-end is a Spring boot application. Turns out that the back-end fully processed the form data and send back a 200 Ok response... The only thing good thing that happened is that the front-end didn't display the response because of a missing [Access-Control-Allow-Origin] header.
After reading a clearer guide on CORS that a POST request with a multipart form as content is not blocked through CORS by design... If it was send with a PUT request a proper blocking response would be generated.
In my case the request added entities to the database. Not really desirable with data from unexpected sources.
So better configure your @CrossOrigin resource sharing for each endpoint that accepts POST requests of content types:
application/x-www-form-urlencoded
multipart/form-data
text/plain
Comments
Post a Comment