[Bugfix] Bypass authorization API token for preflight requests #4862
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Browsers should not send credentials in preflight requests irrespective of this setting. Source: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#sending_a_request_with_credentials_included
simon-mo
approved these changes
May 16, 2024
robertgshaw2-neuralmagic
pushed a commit
to neuralmagic/nm-vllm
that referenced
this pull request
May 19, 2024
dtrifiro
pushed a commit
to dtrifiro/vllm
that referenced
this pull request
May 21, 2024
Temirulan
pushed a commit
to Temirulan/vllm-whisper
that referenced
this pull request
Sep 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From this guideline, we can expect that almost all browsers won't send credentials during CORS preflight requests.
So, without this condition all preflight requests (OPTIONS) will reach the server without the authorization token and will be rejected by the middleware.
I searched for open issues, but wasn't able to find someone reporting this.