CORS access controls not applied for non-GET requests to the tracker #16380
Labels
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
wontfix
If you can reproduce this issue, please reopen the issue or create a new one describing it.
Comments
|
Note: This is in the tracker context only. I'll also post the same comment in the PR just in case someone reads it. @fmarier If we removed this then POST tracking requests wouldn't work anymore and always fallback to GET. See eg This is currently their on purpose and because not really any information can be retrieved from this it shouldn't be any problem. |
tsteur
added
not-in-changelog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Matomo has a configuration option to restrict CORS requests to specific domains and that's correctly implemented in the CORSHandler in the case of
GETrequests. However, some additional code overrides the CORSHandler in the case of non-GETrequests.Unless there is a reason for bypassing the CORSHandler, it would be safer to treat all HTTP methods the same.
The text was updated successfully, but these errors were encountered: