This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Drop Origin & Accept from Access-Control-Allow-Headers value #10114
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change drops the Origin and Accept header names from the value of the Access-Control-Allow-Headers response header sent by Synapse. Per the CORS protocol, it’s not necessary or useful to include those header names. Details: Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: matrix-org/matrix-spec-proposals#3225 Signed-off-by: Michael[tm] Smith <mike@w3.org>
sideshowbarker
added a commit
to sideshowbarker/matrix-doc
that referenced
this pull request
Jun 3, 2021
This change drops the Origin and Accept header names from the recommended value for the CORS Access-Control-Allow-Headers header. Per the CORS protocol, it’s not necessary or useful to include them. Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: Related: matrix-org/synapse#10114 Signed-off-by: Michael[tm] Smith <mike@w3.org>
|
@turt2live has volunteered to check this as someone more familiar with web dev and CORS. |
turt2live
approved these changes
Jun 23, 2021
babolivier
added a commit
that referenced
this pull request
Jul 7, 2021
Synapse 1.38.0rc1 (2021-07-06) ============================== This release includes a database schema update which could result in elevated disk usage. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#upgrading-to-v1380) for more information. Features -------- - Implement refresh tokens as specified by [MSC2918](matrix-org/matrix-spec-proposals#2918). ([\#9450](#9450)) - Add support for evicting cache entries based on last access time. ([\#10205](#10205)) - Omit empty fields from the `/sync` response. Contributed by @deepbluev7. ([\#10214](#10214)) - Improve validation on federation `send_{join,leave,knock}` endpoints. ([\#10225](#10225), [\#10243](#10243)) - Add SSO `external_ids` to the Query User Account admin API. ([\#10261](#10261)) - Mark events received over federation which fail a spam check as "soft-failed". ([\#10263](#10263)) - Add metrics for new inbound federation staging area. ([\#10284](#10284)) - Add script to print information about recently registered users. ([\#10290](#10290)) Bugfixes -------- - Fix a long-standing bug which meant that invite rejections and knocks were not sent out over federation in a timely manner. ([\#10223](#10223)) - Fix a bug introduced in v1.26.0 where only users who have set profile information could be deactivated with erasure enabled. ([\#10252](#10252)) - Fix a long-standing bug where Synapse would return errors after 2<sup>31</sup> events were handled by the server. ([\#10264](#10264), [\#10267](#10267), [\#10282](#10282), [\#10286](#10286), [\#10291](#10291), [\#10314](#10314), [\#10326](#10326)) - Fix the prometheus `synapse_federation_server_pdu_process_time` metric. Broke in v1.37.1. ([\#10279](#10279)) - Ensure that inbound events from federation that were being processed when Synapse was restarted get promptly processed on start up. ([\#10303](#10303)) Improved Documentation ---------------------- - Move the upgrade notes to [docs/upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md) and convert them to markdown. ([\#10166](#10166)) - Choose Welcome & Overview as the default page for synapse documentation website. ([\#10242](#10242)) - Adjust the URL in the README.rst file to point to irc.libera.chat. ([\#10258](#10258)) - Fix homeserver config option name in presence router documentation. ([\#10288](#10288)) - Fix link pointing at the wrong section in the modules documentation page. ([\#10302](#10302)) Internal Changes ---------------- - Drop `Origin` and `Accept` from the value of the `Access-Control-Allow-Headers` response header. ([\#10114](#10114)) - Add type hints to the federation servlets. ([\#10213](#10213)) - Improve the reliability of auto-joining remote rooms. ([\#10237](#10237)) - Update the release script to use the semver terminology and determine the release branch based on the next version. ([\#10239](#10239)) - Fix type hints for computing auth events. ([\#10253](#10253)) - Improve the performance of the spaces summary endpoint by only recursing into spaces (and not rooms in general). ([\#10256](#10256)) - Move event authentication methods from `Auth` to `EventAuthHandler`. ([\#10268](#10268)) - Re-enable a SyTest after it has been fixed. ([\#10292](#10292))
aaronraimist
added a commit
to aaronraimist/synapse
that referenced
this pull request
Jul 13, 2021
Synapse 1.38.0 (2021-07-13) =========================== This release includes a database schema update which could result in elevated disk usage. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#upgrading-to-v1380) for more information. No significant changes since 1.38.0rc3. Synapse 1.38.0rc3 (2021-07-13) ============================== Internal Changes ---------------- - Build the Debian packages in CI. ([\matrix-org#10247](matrix-org#10247), [\matrix-org#10379](matrix-org#10379)) Synapse 1.38.0rc2 (2021-07-09) ============================== Bugfixes -------- - Fix bug where inbound federation in a room could be delayed due to not correctly dropping a lock. Introduced in v1.37.1. ([\matrix-org#10336](matrix-org#10336)) Improved Documentation ---------------------- - Update links to documentation in the sample config. Contributed by @dklimpel. ([\matrix-org#10287](matrix-org#10287)) - Fix broken links in [INSTALL.md](INSTALL.md). Contributed by @dklimpel. ([\matrix-org#10331](matrix-org#10331)) Synapse 1.38.0rc1 (2021-07-06) ============================== Features -------- - Implement refresh tokens as specified by [MSC2918](matrix-org/matrix-spec-proposals#2918). ([\matrix-org#9450](matrix-org#9450)) - Add support for evicting cache entries based on last access time. ([\matrix-org#10205](matrix-org#10205)) - Omit empty fields from the `/sync` response. Contributed by @deepbluev7. ([\matrix-org#10214](matrix-org#10214)) - Improve validation on federation `send_{join,leave,knock}` endpoints. ([\matrix-org#10225](matrix-org#10225), [\matrix-org#10243](matrix-org#10243)) - Add SSO `external_ids` to the Query User Account admin API. ([\matrix-org#10261](matrix-org#10261)) - Mark events received over federation which fail a spam check as "soft-failed". ([\matrix-org#10263](matrix-org#10263)) - Add metrics for new inbound federation staging area. ([\matrix-org#10284](matrix-org#10284)) - Add script to print information about recently registered users. ([\matrix-org#10290](matrix-org#10290)) Bugfixes -------- - Fix a long-standing bug which meant that invite rejections and knocks were not sent out over federation in a timely manner. ([\matrix-org#10223](matrix-org#10223)) - Fix a bug introduced in v1.26.0 where only users who have set profile information could be deactivated with erasure enabled. ([\matrix-org#10252](matrix-org#10252)) - Fix a long-standing bug where Synapse would return errors after 2<sup>31</sup> events were handled by the server. ([\matrix-org#10264](matrix-org#10264), [\matrix-org#10267](matrix-org#10267), [\matrix-org#10282](matrix-org#10282), [\matrix-org#10286](matrix-org#10286), [\matrix-org#10291](matrix-org#10291), [\matrix-org#10314](matrix-org#10314), [\matrix-org#10326](matrix-org#10326)) - Fix the prometheus `synapse_federation_server_pdu_process_time` metric. Broke in v1.37.1. ([\matrix-org#10279](matrix-org#10279)) - Ensure that inbound events from federation that were being processed when Synapse was restarted get promptly processed on start up. ([\matrix-org#10303](matrix-org#10303)) Improved Documentation ---------------------- - Move the upgrade notes to [docs/upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md) and convert them to markdown. ([\matrix-org#10166](matrix-org#10166)) - Choose Welcome & Overview as the default page for synapse documentation website. ([\matrix-org#10242](matrix-org#10242)) - Adjust the URL in the README.rst file to point to irc.libera.chat. ([\matrix-org#10258](matrix-org#10258)) - Fix homeserver config option name in presence router documentation. ([\matrix-org#10288](matrix-org#10288)) - Fix link pointing at the wrong section in the modules documentation page. ([\matrix-org#10302](matrix-org#10302)) Internal Changes ---------------- - Drop `Origin` and `Accept` from the value of the `Access-Control-Allow-Headers` response header. ([\matrix-org#10114](matrix-org#10114)) - Add type hints to the federation servlets. ([\matrix-org#10213](matrix-org#10213)) - Improve the reliability of auto-joining remote rooms. ([\matrix-org#10237](matrix-org#10237)) - Update the release script to use the semver terminology and determine the release branch based on the next version. ([\matrix-org#10239](matrix-org#10239)) - Fix type hints for computing auth events. ([\matrix-org#10253](matrix-org#10253)) - Improve the performance of the spaces summary endpoint by only recursing into spaces (and not rooms in general). ([\matrix-org#10256](matrix-org#10256)) - Move event authentication methods from `Auth` to `EventAuthHandler`. ([\matrix-org#10268](matrix-org#10268)) - Re-enable a SyTest after it has been fixed. ([\matrix-org#10292](matrix-org#10292))
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jul 17, 2021
Synapse 1.38.0 (2021-07-13) =========================== This release includes a database schema update which could result in elevated disk usage. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#upgrading-to-v1380) for more information. No significant changes since 1.38.0rc3. Synapse 1.38.0rc3 (2021-07-13) ============================== Internal Changes ---------------- - Build the Debian packages in CI. ([\#10247](matrix-org/synapse#10247), [\#10379](matrix-org/synapse#10379)) Synapse 1.38.0rc2 (2021-07-09) ============================== Bugfixes -------- - Fix bug where inbound federation in a room could be delayed due to not correctly dropping a lock. Introduced in v1.37.1. ([\#10336](matrix-org/synapse#10336)) Improved Documentation ---------------------- - Update links to documentation in the sample config. Contributed by @dklimpel. ([\#10287](matrix-org/synapse#10287)) - Fix broken links in [INSTALL.md](INSTALL.md). Contributed by @dklimpel. ([\#10331](matrix-org/synapse#10331)) Synapse 1.38.0rc1 (2021-07-06) ============================== Features -------- - Implement refresh tokens as specified by [MSC2918](matrix-org/matrix-spec-proposals#2918). ([\#9450](matrix-org/synapse#9450)) - Add support for evicting cache entries based on last access time. ([\#10205](matrix-org/synapse#10205)) - Omit empty fields from the `/sync` response. Contributed by @deepbluev7. ([\#10214](matrix-org/synapse#10214)) - Improve validation on federation `send_{join,leave,knock}` endpoints. ([\#10225](matrix-org/synapse#10225), [\#10243](matrix-org/synapse#10243)) - Add SSO `external_ids` to the Query User Account admin API. ([\#10261](matrix-org/synapse#10261)) - Mark events received over federation which fail a spam check as "soft-failed". ([\#10263](matrix-org/synapse#10263)) - Add metrics for new inbound federation staging area. ([\#10284](matrix-org/synapse#10284)) - Add script to print information about recently registered users. ([\#10290](matrix-org/synapse#10290)) Bugfixes -------- - Fix a long-standing bug which meant that invite rejections and knocks were not sent out over federation in a timely manner. ([\#10223](matrix-org/synapse#10223)) - Fix a bug introduced in v1.26.0 where only users who have set profile information could be deactivated with erasure enabled. ([\#10252](matrix-org/synapse#10252)) - Fix a long-standing bug where Synapse would return errors after 2<sup>31</sup> events were handled by the server. ([\#10264](matrix-org/synapse#10264), [\#10267](matrix-org/synapse#10267), [\#10282](matrix-org/synapse#10282), [\#10286](matrix-org/synapse#10286), [\#10291](matrix-org/synapse#10291), [\#10314](matrix-org/synapse#10314), [\#10326](matrix-org/synapse#10326)) - Fix the prometheus `synapse_federation_server_pdu_process_time` metric. Broke in v1.37.1. ([\#10279](matrix-org/synapse#10279)) - Ensure that inbound events from federation that were being processed when Synapse was restarted get promptly processed on start up. ([\#10303](matrix-org/synapse#10303)) Improved Documentation ---------------------- - Move the upgrade notes to [docs/upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md) and convert them to markdown. ([\#10166](matrix-org/synapse#10166)) - Choose Welcome & Overview as the default page for synapse documentation website. ([\#10242](matrix-org/synapse#10242)) - Adjust the URL in the README.rst file to point to irc.libera.chat. ([\#10258](matrix-org/synapse#10258)) - Fix homeserver config option name in presence router documentation. ([\#10288](matrix-org/synapse#10288)) - Fix link pointing at the wrong section in the modules documentation page. ([\#10302](matrix-org/synapse#10302)) Internal Changes ---------------- - Drop `Origin` and `Accept` from the value of the `Access-Control-Allow-Headers` response header. ([\#10114](matrix-org/synapse#10114)) - Add type hints to the federation servlets. ([\#10213](matrix-org/synapse#10213)) - Improve the reliability of auto-joining remote rooms. ([\#10237](matrix-org/synapse#10237)) - Update the release script to use the semver terminology and determine the release branch based on the next version. ([\#10239](matrix-org/synapse#10239)) - Fix type hints for computing auth events. ([\#10253](matrix-org/synapse#10253)) - Improve the performance of the spaces summary endpoint by only recursing into spaces (and not rooms in general). ([\#10256](matrix-org/synapse#10256)) - Move event authentication methods from `Auth` to `EventAuthHandler`. ([\#10268](matrix-org/synapse#10268)) - Re-enable a SyTest after it has been fixed. ([\#10292](matrix-org/synapse#10292))
spantaleev
added a commit
to devture/matrix-corporal
that referenced
this pull request
Jul 30, 2021
richvdh
pushed a commit
to matrix-org/matrix-spec-proposals
that referenced
this pull request
Aug 23, 2021
This change drops the Origin and Accept header names from the recommended value for the CORS Access-Control-Allow-Headers header. Per the CORS protocol, it’s not necessary or useful to include them. Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: Related: matrix-org/synapse#10114 Signed-off-by: Michael[tm] Smith <mike@w3.org>
richvdh
pushed a commit
to matrix-org/matrix-spec-proposals
that referenced
this pull request
Aug 27, 2021
This change drops the Origin and Accept header names from the recommended value for the CORS Access-Control-Allow-Headers header. Per the CORS protocol, it’s not necessary or useful to include them. Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name, Origin is a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set. So the value of Access-Control-Allow-Headers isn’t relevant to Origin or in general to other headers set by the browser itself — the browser never ever consults the Access-Control-Allow-Headers value to confirm that it’s OK for the request to include an Origin header. And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header, Accept is a “CORS-safelisted request-header”, which means that browsers allow requests to contain the Accept header regardless of whether the Access-Control-Allow-Headers value contains "Accept". So it’s unnecessary for the Access-Control-Allow-Headers to explicitly include Accept. Browsers will not perform a CORS preflight for requests containing an Accept request header. Related: Related: matrix-org/synapse#10114 Signed-off-by: Michael[tm] Smith <mike@w3.org>
babolivier
added a commit
to matrix-org/synapse-dinsic
that referenced
this pull request
Sep 1, 2021
Synapse 1.38.0 (2021-07-13) =========================== This release includes a database schema update which could result in elevated disk usage. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#upgrading-to-v1380) for more information. No significant changes since 1.38.0rc3. Synapse 1.38.0rc3 (2021-07-13) ============================== Internal Changes ---------------- - Build the Debian packages in CI. ([\#10247](matrix-org/synapse#10247), [\#10379](matrix-org/synapse#10379)) Synapse 1.38.0rc2 (2021-07-09) ============================== Bugfixes -------- - Fix bug where inbound federation in a room could be delayed due to not correctly dropping a lock. Introduced in v1.37.1. ([\#10336](matrix-org/synapse#10336)) Improved Documentation ---------------------- - Update links to documentation in the sample config. Contributed by @dklimpel. ([\#10287](matrix-org/synapse#10287)) - Fix broken links in [INSTALL.md](INSTALL.md). Contributed by @dklimpel. ([\#10331](matrix-org/synapse#10331)) Synapse 1.38.0rc1 (2021-07-06) ============================== Features -------- - Implement refresh tokens as specified by [MSC2918](matrix-org/matrix-spec-proposals#2918). ([\#9450](matrix-org/synapse#9450)) - Add support for evicting cache entries based on last access time. ([\#10205](matrix-org/synapse#10205)) - Omit empty fields from the `/sync` response. Contributed by @deepbluev7. ([\#10214](matrix-org/synapse#10214)) - Improve validation on federation `send_{join,leave,knock}` endpoints. ([\#10225](matrix-org/synapse#10225), [\#10243](matrix-org/synapse#10243)) - Add SSO `external_ids` to the Query User Account admin API. ([\#10261](matrix-org/synapse#10261)) - Mark events received over federation which fail a spam check as "soft-failed". ([\#10263](matrix-org/synapse#10263)) - Add metrics for new inbound federation staging area. ([\#10284](matrix-org/synapse#10284)) - Add script to print information about recently registered users. ([\#10290](matrix-org/synapse#10290)) Bugfixes -------- - Fix a long-standing bug which meant that invite rejections and knocks were not sent out over federation in a timely manner. ([\#10223](matrix-org/synapse#10223)) - Fix a bug introduced in v1.26.0 where only users who have set profile information could be deactivated with erasure enabled. ([\#10252](matrix-org/synapse#10252)) - Fix a long-standing bug where Synapse would return errors after 2<sup>31</sup> events were handled by the server. ([\#10264](matrix-org/synapse#10264), [\#10267](matrix-org/synapse#10267), [\#10282](matrix-org/synapse#10282), [\#10286](matrix-org/synapse#10286), [\#10291](matrix-org/synapse#10291), [\#10314](matrix-org/synapse#10314), [\#10326](matrix-org/synapse#10326)) - Fix the prometheus `synapse_federation_server_pdu_process_time` metric. Broke in v1.37.1. ([\#10279](matrix-org/synapse#10279)) - Ensure that inbound events from federation that were being processed when Synapse was restarted get promptly processed on start up. ([\#10303](matrix-org/synapse#10303)) Improved Documentation ---------------------- - Move the upgrade notes to [docs/upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md) and convert them to markdown. ([\#10166](matrix-org/synapse#10166)) - Choose Welcome & Overview as the default page for synapse documentation website. ([\#10242](matrix-org/synapse#10242)) - Adjust the URL in the README.rst file to point to irc.libera.chat. ([\#10258](matrix-org/synapse#10258)) - Fix homeserver config option name in presence router documentation. ([\#10288](matrix-org/synapse#10288)) - Fix link pointing at the wrong section in the modules documentation page. ([\#10302](matrix-org/synapse#10302)) Internal Changes ---------------- - Drop `Origin` and `Accept` from the value of the `Access-Control-Allow-Headers` response header. ([\#10114](matrix-org/synapse#10114)) - Add type hints to the federation servlets. ([\#10213](matrix-org/synapse#10213)) - Improve the reliability of auto-joining remote rooms. ([\#10237](matrix-org/synapse#10237)) - Update the release script to use the semver terminology and determine the release branch based on the next version. ([\#10239](matrix-org/synapse#10239)) - Fix type hints for computing auth events. ([\#10253](matrix-org/synapse#10253)) - Improve the performance of the spaces summary endpoint by only recursing into spaces (and not rooms in general). ([\#10256](matrix-org/synapse#10256)) - Move event authentication methods from `Auth` to `EventAuthHandler`. ([\#10268](matrix-org/synapse#10268)) - Re-enable a SyTest after it has been fixed. ([\#10292](matrix-org/synapse#10292))
Fizzadar
pushed a commit
to Fizzadar/synapse
that referenced
this pull request
Oct 26, 2021
Synapse 1.38.0 (2021-07-13) =========================== This release includes a database schema update which could result in elevated disk usage. See the [upgrade notes](https://matrix-org.github.io/synapse/develop/upgrade#upgrading-to-v1380) for more information. No significant changes since 1.38.0rc3. Synapse 1.38.0rc3 (2021-07-13) ============================== Internal Changes ---------------- - Build the Debian packages in CI. ([\matrix-org#10247](matrix-org#10247), [\matrix-org#10379](matrix-org#10379)) Synapse 1.38.0rc2 (2021-07-09) ============================== Bugfixes -------- - Fix bug where inbound federation in a room could be delayed due to not correctly dropping a lock. Introduced in v1.37.1. ([\matrix-org#10336](matrix-org#10336)) Improved Documentation ---------------------- - Update links to documentation in the sample config. Contributed by @dklimpel. ([\matrix-org#10287](matrix-org#10287)) - Fix broken links in [INSTALL.md](INSTALL.md). Contributed by @dklimpel. ([\matrix-org#10331](matrix-org#10331)) Synapse 1.38.0rc1 (2021-07-06) ============================== Features -------- - Implement refresh tokens as specified by [MSC2918](matrix-org/matrix-spec-proposals#2918). ([\matrix-org#9450](matrix-org#9450)) - Add support for evicting cache entries based on last access time. ([\matrix-org#10205](matrix-org#10205)) - Omit empty fields from the `/sync` response. Contributed by @deepbluev7. ([\matrix-org#10214](matrix-org#10214)) - Improve validation on federation `send_{join,leave,knock}` endpoints. ([\matrix-org#10225](matrix-org#10225), [\matrix-org#10243](matrix-org#10243)) - Add SSO `external_ids` to the Query User Account admin API. ([\matrix-org#10261](matrix-org#10261)) - Mark events received over federation which fail a spam check as "soft-failed". ([\matrix-org#10263](matrix-org#10263)) - Add metrics for new inbound federation staging area. ([\matrix-org#10284](matrix-org#10284)) - Add script to print information about recently registered users. ([\matrix-org#10290](matrix-org#10290)) Bugfixes -------- - Fix a long-standing bug which meant that invite rejections and knocks were not sent out over federation in a timely manner. ([\matrix-org#10223](matrix-org#10223)) - Fix a bug introduced in v1.26.0 where only users who have set profile information could be deactivated with erasure enabled. ([\matrix-org#10252](matrix-org#10252)) - Fix a long-standing bug where Synapse would return errors after 2<sup>31</sup> events were handled by the server. ([\matrix-org#10264](matrix-org#10264), [\matrix-org#10267](matrix-org#10267), [\matrix-org#10282](matrix-org#10282), [\matrix-org#10286](matrix-org#10286), [\matrix-org#10291](matrix-org#10291), [\matrix-org#10314](matrix-org#10314), [\matrix-org#10326](matrix-org#10326)) - Fix the prometheus `synapse_federation_server_pdu_process_time` metric. Broke in v1.37.1. ([\matrix-org#10279](matrix-org#10279)) - Ensure that inbound events from federation that were being processed when Synapse was restarted get promptly processed on start up. ([\matrix-org#10303](matrix-org#10303)) Improved Documentation ---------------------- - Move the upgrade notes to [docs/upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md) and convert them to markdown. ([\matrix-org#10166](matrix-org#10166)) - Choose Welcome & Overview as the default page for synapse documentation website. ([\matrix-org#10242](matrix-org#10242)) - Adjust the URL in the README.rst file to point to irc.libera.chat. ([\matrix-org#10258](matrix-org#10258)) - Fix homeserver config option name in presence router documentation. ([\matrix-org#10288](matrix-org#10288)) - Fix link pointing at the wrong section in the modules documentation page. ([\matrix-org#10302](matrix-org#10302)) Internal Changes ---------------- - Drop `Origin` and `Accept` from the value of the `Access-Control-Allow-Headers` response header. ([\matrix-org#10114](matrix-org#10114)) - Add type hints to the federation servlets. ([\matrix-org#10213](matrix-org#10213)) - Improve the reliability of auto-joining remote rooms. ([\matrix-org#10237](matrix-org#10237)) - Update the release script to use the semver terminology and determine the release branch based on the next version. ([\matrix-org#10239](matrix-org#10239)) - Fix type hints for computing auth events. ([\matrix-org#10253](matrix-org#10253)) - Improve the performance of the spaces summary endpoint by only recursing into spaces (and not rooms in general). ([\matrix-org#10256](matrix-org#10256)) - Move event authentication methods from `Auth` to `EventAuthHandler`. ([\matrix-org#10268](matrix-org#10268)) - Re-enable a SyTest after it has been fixed. ([\matrix-org#10292](matrix-org#10292))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change drops the
OriginandAcceptheader names from the value of theAccess-Control-Allow-Headersresponse header sent by Synapse. Per the CORS protocol, it’s not necessary or useful to include those header names.Details:
Per-spec at https://fetch.spec.whatwg.org/#forbidden-header-name,
Originis a “forbidden header name” set by the browser and that frontend JavaScript code is never allowed to set.So the value of
Access-Control-Allow-Headersisn’t relevant toOriginor in general to other headers set by the browser itself — the browser never ever consults theAccess-Control-Allow-Headersvalue to confirm that it’s OK for the request to include anOriginheader.And per-spec at https://fetch.spec.whatwg.org/#cors-safelisted-request-header,
Acceptis a “CORS-safelisted request-header”, which means that browsers allow requests to contain theAcceptheader regardless of whether theAccess-Control-Allow-Headersvalue contains "Accept".*So it’s unnecessary for the
Access-Control-Allow-Headersto explicitly includeAccept. Browsers will not perform a CORS preflight for requests containing anAcceptrequest header.Related: matrix-org/matrix-spec-proposals#3225
Signed-off-by: Michael[tm] Smith mike@w3.org
* There is actually one edge case in which browsers won’t allow an
Acceptheader in a request: If the value contains a “CORS-unsafe request-header byte” https://fetch.spec.whatwg.org/#cors-unsafe-request-header-byte. But in that case, theAcceptheader is anyway malformed and is therefore not going to have its intended effect. So that edge case doesn’t merit includingAcceptin theAccess-Control-Allow-Headersvalue.