My problem with Cors POST requests

Just encountered a weird "bug" in the CORS protocol.
One of my POST request endpoints accepts a multipart form as content type. In local development the front-end sending the request exists on a different origin.

Because of the different origin I expected a blocking response to be send though the cross-origin resource sharing mechanism (cors) by the back-end managing the endpoint. The back-end is a Spring boot application. Turns out that the back-end fully processed the form data and send back a 200 Ok response... The only thing good thing that happened is that the front-end didn't display the response because of a missing [Access-Control-Allow-Origin] header.

After reading a clearer guide on CORS that a POST request with a multipart form as content is not blocked through CORS by design... If it was send with a PUT request a proper blocking response would be generated.

In my case the request added entities to the database. Not really desirable with data from unexpected sources.

So better configure your @CrossOrigin resource sharing for each endpoint that accepts POST requests of content types:
  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain
.

Comments

Popular posts from this blog

Deep fakes, fake news, it's old news!

Thinking about tech: Technological Determinism

Software development as a growing profession - Present