Chrome not blocking invalid CORS request -


I have a problem with CORS requests that I believe should be denied, but by Chrome, Firefox and IE Accepting. Request, from wireshark, is:

  received / code / rest / postcodeSearch & amp; Provider = & amp; Postcode = PL6 + 7TL HTTP / 1.1 Host:? Devtestl1: 5706 Connection: Stay alive Accept: App / Jason, Text / JavaScript, * / *; Q = 0.01 Origin: http: // localhost: 5506 User-agent: Mozilla / 5.0 (Windows NT 6.1; WOW64) AppleWebKit / 537.36 (KHTML, like Lizard) Chrome / 32.0.1700.107 Safari / 537.36 DNT: 1 Referer: http : //localhost/506/icm/admin/articles/dopreview.cfm?InEditorPreview=false&NodeID=1&browser=NS6&HTMLEditor=TRUE&FlashTreePluginLocated=12&SubsiteName=&WYSIWYGEditControl=TEMPLATE&bMobileSimulator=False Accepted-Encoding: Gzip, Deflate, sdch Accept-Language: en, en-GB; Q = 0.8  

The response is:

  HTTP / 1.1 200 OK access-control-permission-origin: http: // localhost: 5506 access-control -Application method: Post access-control- Maximum-age: 60 Access-control-app-heads: content-type, authorization, X-API-session, X-APP-key, X-AP-Token access-control- Expose-Header: Content-Type, X-AP-Session, X-AP-Token Content-Type: Application / Jason; Charset = utf-8 Content-Length: 669 Date: Tuesday, 18 February 2014 11:14:57 GMT Connection: Keep Survival {"Results": [{"udprn": "18,994,206", "Company": "Delta Engineering "Line 3": "" "line4": "" "line5": "" "City: Plymouth LLP", "Department": "" "Line 1": "Watch Darklake", "Line 2": "Estover", "Line 3" "": "Goss Interactive Limited", "Department": "", "Plymouth", "County": "Devon", "Postcode": "PL6 7TL"}, {"udprn": "18,994,215", "Company" "Line 1": "24 Darkclick View", "Line 2": "Estover", "Line 3": "", "Line 4": "", "Line 5": "", "City": "Plymouth " "": "County": "Devon", "Postcode": "PL6 7TL"}, {"udprn": "18,994,208", "Company": "Jennycrafts", "Department": "" "Line 1": "Cranmere House "Plymouth", "County": "Plymouth", "County": "Line": "Line 5": "Line 5": "Line 5": "Line" "Postcode": "PL6 7TL"}], "_ transport_": {"statusCode": 200}}  

Returned postcode data is being displayed in the browser , Even if the response with the GET request is given "access-control-permission-method: post" header as i Jta that browser should discard the whole response.

Why is this reaction allowed?

Thanks, Andy

I think I'm seeing a problem now Access-control-permission-only header is used only with an option pre-flight message It seems that the decision to reject the request based on the method should be on the server. The same applies to the access-control-app-headers header as well.


Comments