Open
Description
It seems like CORS support for validation is intended, from
org.hl7.fhir.validator-wrapper/src/jvmMain/kotlin/Module.kt
Lines 66 to 78 in d830da3
But currently Access-Control-Allow-Origin
response headers omit POST
.
Example reproduction:
$ curl -vvv 'https://validator.fhir.org/validate' -X 'OPTIONS' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.9' -H 'Access-Control-Request-Headers: content-type' -H 'Access-Control-Request-Method: POST' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Origin: http://localhost:5173' -H 'Pragma: no-cache' -H 'Referer: http://localhost:5173/' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36'
Result:
< Access-Control-Allow-Origin: http://localhost:5173
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: DELETE, OPTIONS, PATCH, PUT
< Access-Control-Allow-Headers: Access-Control-Allow-Origin, Authorization, Content-Type
< Access-Control-Max-Age: 86400
Expected:
< Access-Control-Allow-Methods: DELETE, OPTIONS, PATCH, POST, PUT
Adding allowMethod(HttpMethod.Post)
to the CORS config block does not help (and shouldn't according to the docs, because POST is in the default config).
The config looks ok to me.
Looks like we're using a 2 year old version of ktor though.
Metadata
Assignees
Labels
No labels
Activity