Skip to content

allows head requests to return 200 instead of 403#13100

Closed
joshmkennedy wants to merge 5 commits intowithastro:mainfrom
joshmkennedy:fix-head-method-403
Closed

allows head requests to return 200 instead of 403#13100
joshmkennedy wants to merge 5 commits intowithastro:mainfrom
joshmkennedy:fix-head-method-403

Conversation

@joshmkennedy
Copy link
Contributor

@joshmkennedy joshmkennedy commented Jan 30, 2025

Changes

  • What does this change?

fixes this issue #13079 by checking if the request method is "HEAD" it allows it to continue with the middleware and not return a 403

I don't believe the docs should need to be updated

@changeset-bot
Copy link

changeset-bot bot commented Jan 30, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 6e926f5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Jan 30, 2025
ematipico
ematipico requested changes Jan 30, 2025
View reviewed changes
Copy link
Member

@ematipico ematipico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create a test and a changeset

@joshmkennedy joshmkennedy mentioned this pull request Jan 30, 2025
Closed
1 task
@codspeed-hq
Copy link

codspeed-hq bot commented Jan 30, 2025
edited
Loading

CodSpeed Performance Report

Merging #13100 will not alter performance

Comparing joshmkennedy:fix-head-method-403 (6e926f5) with main (23e631c)

Summary

✅ 6 untouched benchmarks

corneliusroemer
corneliusroemer reviewed Jan 30, 2025
View reviewed changes
packages/astro/src/core/app/middlewares.ts Outdated
return next();
}
if (request.method === 'GET') {
if (request.method === 'GET' || request.method === "HEAD") {
Copy link
Contributor

@corneliusroemer corneliusroemer Jan 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (request.method === 'GET' || request.method === "HEAD") {
if (request.method === 'GET' || request.method === 'HEAD' || request.method === 'OPTIONS' || request.method === 'TRACE') {

There are 2 more safe request methods that should be added as exemptions besides GET and HEAD: OPTIONS and TRACE.

Maybe one should add centralized functions to define safe and unsafe functions/properties on request? So one can do:

if (request.isSafe) { ... }

and reduce scope for making the same mistake in multiple places?

See source for definition of safe methods: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods#safe_idempotent_and_cacheable_request_methods

Copy link
Contributor Author

@joshmkennedy joshmkennedy Jan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

corneliusroemer added a commit to corneliusroemer/astro that referenced this pull request Jan 30, 2025
@corneliusroemer
fix: respond with 200 to HEAD requests for non-prerendered pages as well
e4bf640 
Fixes withastro#13079

Inspired by @joshmkennedy's PR withastro#13100
@corneliusroemer corneliusroemer mentioned this pull request Jan 30, 2025
Merged
@github-actions github-actions bot added the semver: major Change triggers a `major` release label Jan 31, 2025
github-actions[bot]
github-actions bot requested changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is blocked because it contains a major changeset. A reviewer will merge this at the next release if approved.

@joshmkennedy
Copy link
Contributor Author

joshmkennedy commented Jan 31, 2025

I believe may @corneliusroemer may have a better solution here #13101

ematipico added a commit that referenced this pull request Feb 13, 2025
@corneliusroemer @ematipico
fix: respond with 200 to HEAD requests for non-prerendered pages as w…
2ed67d5 
…ell (#13101)

* fix: respond with 200 to HEAD requests for non-prerendered pages as well

Fixes #13079

Inspired by @joshmkennedy's PR #13100

* chore: add more test cases

* Update .changeset/tricky-toes-drum.md

* chore: remove trace method

---------

Co-authored-by: Emanuele Stoppa <my.burning@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ematipico ematipico ematipico requested changes

@github-actions github-actions[bot] github-actions[bot] requested changes

+1 more reviewer

@corneliusroemer corneliusroemer corneliusroemer left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pkg: astro Related to the core `astro` package (scope) semver: major Change triggers a `major` release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joshmkennedy @ematipico @corneliusroemer