Skip to content

allows head requests to return 200 instead of 403 #13100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
joshmkennedy wants to merge 5 commits into from
Closed

allows head requests to return 200 instead of 403 #13100

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1fc2535
allows head requests to return 200 instead of 403
Jan 30, 2025
5676bec
Merge branch 'main' into fix-head-method-403
joshmkennedy Jan 30, 2025
b29f651
adds changeset
Jan 30, 2025
61d2378
Adds test to check for 200 on HEAD requests
Jan 31, 2025
6e926f5
adds options method check
Jan 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/astro/src/core/app/middlewares.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ export function createOriginCheckMiddleware(): MiddlewareHandler {
if (isPrerendered) {
return next();
}
if (request.method === 'GET') {
if (request.method === 'GET' || request.method === "HEAD") {
Copy link
Contributor

@corneliusroemer corneliusroemer Jan 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (request.method === 'GET' || request.method === "HEAD") {
if (request.method === 'GET' || request.method === 'HEAD' || request.method === 'OPTIONS' || request.method === 'TRACE') {

There are 2 more safe request methods that should be added as exemptions besides GET and HEAD: OPTIONS and TRACE.

Maybe one should add centralized functions to define safe and unsafe functions/properties on request? So one can do:

if (request.isSafe) { ... }

and reduce scope for making the same mistake in multiple places?

See source for definition of safe methods: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods#safe_idempotent_and_cacheable_request_methods

Copy link
Contributor Author

@joshmkennedy joshmkennedy Jan 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

return next();
}
const sameOrigin =
Expand Down