From: Rafał Miłecki <rafal@milecki.pl>
Date: Mon, 21 Sep 2020 14:16:23 +0000 (+0200)
Subject: ubus: support GET method with CORS requests
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=c186212a3075766717cab396a46242f110ee71bd;p=project%2Fuhttpd.git

ubus: support GET method with CORS requests

Complex GET requests (e.g. those with custom headers) require browsers
to send preflight OPTIONS request with:
Access-Control-Request-Method: GET

It's important to reply to such requests with the header
Access-Control-Allow-Origin (and optionally others) to allow CORS
requests.

Adding GET to the Access-Control-Allow-Methods is cosmetical as
according to the Fetch standard:

> If request’s method is not in methods, request’s method is not a
> CORS-safelisted method, and request’s credentials mode is "include" or
> methods does not contain `*`, then return a network error.

It basically means that Access-Control-Allow-Methods value is ignored
for GET, HEAD and POST methods.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---

diff --git a/ubus.c b/ubus.c
index 1cf5c5f..39b38b2 100644
--- a/ubus.c
+++ b/ubus.c
@@ -164,7 +164,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
 	{
 		char *hdr = (char *) blobmsg_data(tb[HDR_ACCESS_CONTROL_REQUEST_METHOD]);
 
-		if (strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS"))
+		if (strcmp(hdr, "GET") && strcmp(hdr, "POST") && strcmp(hdr, "OPTIONS"))
 			return;
 	}
 
@@ -175,7 +175,7 @@ static void uh_ubus_add_cors_headers(struct client *cl)
 		ustream_printf(cl->us, "Access-Control-Allow-Headers: %s\r\n",
 		               blobmsg_get_string(tb[HDR_ACCESS_CONTROL_REQUEST_HEADERS]));
 
-	ustream_printf(cl->us, "Access-Control-Allow-Methods: POST, OPTIONS\r\n");
+	ustream_printf(cl->us, "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n");
 	ustream_printf(cl->us, "Access-Control-Allow-Credentials: true\r\n");
 }