Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

response from OPTIONS returns 204 status code by default #8

Open
lnfel opened this issue Sep 26, 2023 · 3 comments
Open

response from OPTIONS returns 204 status code by default #8

lnfel opened this issue Sep 26, 2023 · 3 comments

Comments

@lnfel
Copy link

lnfel commented Sep 26, 2023
edited
Loading

elysia: 0.7.12
nodejs: 18.14
@bogeychan/elysia-polyfills: 0.6.1
browser: Google Chrome Version 116.0.5845.187 (Official Build) (x86_64)

Reading MDN docs about OPTIONS gives an example that uses 204 as the response status code, other browser implementations expect OPTIONS response to return status code of ok or 200 as mentioned in the same document.

Furthermore RFC9110 section 15.3.1 states that a response status code of 200 can be used for OPTIONS response. With that said a CORS error pops up when using default elysia-cors options.

import { Elysia } from 'elysia'

const routes = new Elysia()
  .use(cors())
  .post('/test', async ({ body }) => {
    console.log(body)
    return {}
  })

When sending a post request to /test, the browser receives a response status of 204 and decides to block the request due to CORS policy:

Access to XMLHttpRequest at 'https://api.website.com/test' from origin 'https://app.website.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Also receives a TypeError:

TypeError: Response constructor: Invalid response status code 204
-- at webidl.errors.exception (node:internal/deps/undici/undici:1265:14)
-- at initializeResponse (node:internal/deps/undici/undici:6845:31)
-- at new Response (node:internal/deps/undici/undici:6654:9)

There's a work around with this by using Elysia instance's .options method:

import { Elysia } from 'elysia'

const routes = new Elysia()
  .use(cors())
  .options('/test', ({ set }) => {
    set.status = "OK"
  })
  .post('/test', async ({ body }) => {
    console.log(body)
    return {}
  })

It works but it is quite cumbersome. What do you guys think? Perhaps we should we default to status 200 instead.
@rhkdgns95
Copy link

rhkdgns95 commented Oct 11, 2023
edited
Loading

Hi
I also had the same cors problem as you, so I left an issue.

elysiajs/elysia#184 (comment)

For method options, a header value must be returned along with code 204.

@lnfel
Copy link
Author

lnfel commented Oct 13, 2023
edited
Loading

From what I experienced, elysia cors removes Access-Control-Allow-Headers whenever schema validation returns error against the payload sent. If validation is successful, then the headers will be present but elysia cors will return 204 status code which Google Chrome does not like, hence the error. The browser expect a 200 status code response from preflight response. It won't matter even if we add the headers manually if the code is 204 because chrome does not find it acceptable.

@dodas
Copy link

dodas commented Dec 8, 2023

+1
The preflight request should be responded to with status 200 instead of 204, which Chrome will reject.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dodas @rhkdgns95 @lnfel