CORS access controls not applied for non-GET requests to the tracker #16380
Labels
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
wontfix
If you can reproduce this issue, please reopen the issue or create a new one describing it.
Matomo has a configuration option to restrict CORS requests to specific domains and that's correctly implemented in the CORSHandler in the case of
GET
requests. However, some additional code overrides the CORSHandler in the case of non-GET
requests.Unless there is a reason for bypassing the CORSHandler, it would be safer to treat all HTTP methods the same.
The text was updated successfully, but these errors were encountered: