-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 10.10
-
Component/s: Technical FAQ (KB)
In the documentation about CORS config, there is a section about verification (https://doc.nuxeo.com/nxdoc/cross-origin-resource-sharing-cors/#verifying-that-the-contribution-is-taken-into-account )which states that:
Simulate preflight request
curl --verbose -H "Origin: http://www.nuxeo.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS http://NUXEO_SERVER/nuxeo/site/foobar/uploadWith the default configuration, preflight's response looks like this:
Default response
< HTTP/1.1 200 OK [...]
while the response with the default configuration is actually
HTTP/1.1 401 [...]
To get an HTTP/1.1 200, you have to use the request:
curl --verbose -H "Origin: http://www.nuxeo.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS http://NUXEO_SERVER/nuxeo/
with the default configuration
However, when a CORS configuration is in place (e.g. the "foobar" configuration given later in the documentation) and this custom configuration is taken into account correctly, the command
curl --verbose -H "Origin: http://www.nuxeo.com" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS http://NUXEO_SERVER/nuxeo/site/foobar/upload
actually returns
< HTTP/1.1 200 OK [...]
This might seem a bit technical or overkill, but this information helps defining and verifying that a custom CORS configuration is indeed taken into account.
The current documentation seems misleading when looking whether a custom CORS configuration is or not taken into account.