CORS test sends non-CORS request

[achingbrain]

There's a test:

"GET Responses from Gateway should include CORS headers allowing JS from other origins to read the data cross-origin."

It makes a GET request to "/ipfs/{{CID}}/" and expects Access-Control-Allow-Origin etc in the response.

The test sends:

GET /ipfs/bafkqabtimvwgy3yk/ HTTP/1.1
Host: host.docker.internal:8080
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

The fetch spec says:

A CORS request is an HTTP request that includes an Origin header. It cannot be reliably identified as participating in the CORS protocol as the Origin header is also included for all requests whose method is neither GET nor HEAD.

There is no Origin header in the request, so this is not a CORS request.

Why does the test expect CORS headers in the response?

[achingbrain]

I would say also, the GET test expects the following headers to be present in the response:

• Access-Control-Allow-Origin
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers
• Access-Control-Expose-Headers

Of these only Access-Control-Allow-Origin is valid in the response to a CORS request, the others are for a CORS-preflight request (e.g. OPTIONS, not GET) so I don't think this test is valid. Ref - https://fetch.spec.whatwg.org/#http-responses

Is it just asserting on the behaviour of the go-HTTP server? There's no mention of CORS in any of the HTTP Gateway specs so it's unclear what's intended to happen here.

[lidel]

Yes, I believe the test is this way because Kubo (go-libp2p legacy parts) do overkill and send always send preflight headers, so whenever test was written, it was implemented incorrectly.

Yes, we should clean this up.