Skip to content

Commit 29f6d82

Browse files
ngxsonngxson
committed
make CORS preflight more explicit
1 parent 58d0588 commit 29f6d82

File tree

1 file changed

+8
-15
lines changed

1 file changed

+8
-15
lines changed

examples/server/server.cpp

Lines changed: 8 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2281,16 +2281,6 @@ int main(int argc, char ** argv) {
22812281
std::atomic<server_state> state{SERVER_STATE_LOADING_MODEL};
22822282

22832283
svr->set_default_headers({{"Server", "llama.cpp"}});
2284-
2285-
// CORS preflight
2286-
svr->Options(R"(.*)", [](const httplib::Request &, httplib::Response & res) {
2287-
// Access-Control-Allow-Origin is already set by middleware
2288-
res.set_header("Access-Control-Allow-Credentials", "true");
2289-
res.set_header("Access-Control-Allow-Methods", "POST");
2290-
res.set_header("Access-Control-Allow-Headers", "*");
2291-
return res.set_content("", "text/html"); // blank response, no data
2292-
});
2293-
22942284
svr->set_logger(log_server_request);
22952285

22962286
auto res_error = [](httplib::Response & res, const json & error_data) {
@@ -2356,11 +2346,6 @@ int main(int argc, char ** argv) {
23562346
"/v1/models",
23572347
};
23582348

2359-
// If this is OPTIONS request, skip validation because browsers don't include Authorization header
2360-
if (req.method == "OPTIONS") {
2361-
return true;
2362-
}
2363-
23642349
// If API key is not set, skip validation
23652350
if (params.api_keys.empty()) {
23662351
return true;
@@ -2408,6 +2393,14 @@ int main(int argc, char ** argv) {
24082393
// register server middlewares
24092394
svr->set_pre_routing_handler([&middleware_validate_api_key, &middleware_server_state](const httplib::Request & req, httplib::Response & res) {
24102395
res.set_header("Access-Control-Allow-Origin", req.get_header_value("Origin"));
2396+
// If this is OPTIONS request, skip validation because browsers don't include Authorization header
2397+
if (req.method == "OPTIONS") {
2398+
res.set_header("Access-Control-Allow-Credentials", "true");
2399+
res.set_header("Access-Control-Allow-Methods", "POST");
2400+
res.set_header("Access-Control-Allow-Headers", "*");
2401+
res.set_content("", "text/html"); // blank response, no data
2402+
return httplib::Server::HandlerResponse::Handled; // skip further processing
2403+
}
24112404
if (!middleware_server_state(req, res)) {
24122405
return httplib::Server::HandlerResponse::Handled;
24132406
}

0 commit comments

Comments
 (0)