@fmarier opened this Issue on September 4th 2020

Matomo has a configuration option to restrict CORS requests to specific domains and that's correctly implemented in the CORSHandler in the case of GET requests. However, some additional code overrides the CORSHandler in the case of non-GET requests.

Unless there is a reason for bypassing the CORSHandler, it would be safer to treat all HTTP methods the same.

@tsteur commented on September 4th 2020 Member

Note: This is in the tracker context only. I'll also post the same comment in the PR just in case someone reads it.

@fmarier If we removed this then POST tracking requests wouldn't work anymore and always fallback to GET.

See eg

This is currently their on purpose and because not really any information can be retrieved from this it shouldn't be any problem.

This Issue was closed on September 6th 2020
Powered by GitHub Issue Mirror