Skip to content

feat: warn about CORS preflight requests on Web#2556

Open
CaiJingLong wants to merge 1 commit into
mainfrom
feat/web-cors-preflight-warning
Open

feat: warn about CORS preflight requests on Web#2556
CaiJingLong wants to merge 1 commit into
mainfrom
feat/web-cors-preflight-warning

Conversation

@CaiJingLong

Copy link
Copy Markdown
Contributor

Summary

  • Detect when a request is not a CORS "simple request" and will trigger a preflight (OPTIONS) request on the Web platform, then emit a warningLog explaining why (non-safelisted method, custom headers, non-simple Content-Type, upload progress listener, or withCredentials).
  • Enrich the XMLHttpRequest.onError error message with CORS guidance when the request was preflighted, so users see a actionable hint instead of a generic network error.
  • Extract the pure detection logic into lib/src/cors.dart (corsPreflightReason) so it can be unit-tested on the VM without a browser.

Closes #2201.

Test plan

  • dart analyze — no issues
  • dart format — applied
  • dart test test/cors_preflight_test.dart -p vm — 15 tests pass
  • Browser CI (CORS preflight tests in dio_test) — existing corsTests still cover runtime behavior

Generated with Devin

Detect when a request is not a CORS "simple request" and will trigger a
preflight (OPTIONS) request, then emit a warning log and enrich the
XMLHttpRequest.onError message with CORS guidance.

Closes #2201

Generated with [Devin](https://devin.ai)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@CaiJingLong CaiJingLong requested a review from a team as a code owner July 8, 2026 08:07
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Code Coverage Report: Only Changed Files listed

Package Base Coverage New Coverage Difference
plugins/web_adapter/lib/src/adapter_impl.dart 🔴 19.27% 🔴 22.41% 🟢 3.14%
plugins/web_adapter/lib/src/cors.dart 🔴 0% 🟢 100% 🟢 100%
Overall Coverage 🟢 85.55% 🟢 85.61% 🟢 0.06%

Minimum allowed coverage is 0%, this run produced 85.61%

@AlexV525 AlexV525 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for driving this — the extraction of corsPreflightReason into a pure, testable helper is a nice touch, the CHANGELOG entry is clean, and feat/web-cors-preflight-warning already matches the branch-naming convention that just landed in AGENTS.md. Left three inline comments on the substantive points; a few AGENTS.md formalities below.

AGENTS.md formalities (fixup, or a follow-up)

  • Commit / PR title should be gitmoji + Conventional per AGENTS.md §8.2 — ✨ feat: warn about CORS preflight requests on Web.
  • AI attribution disclosure per §8.3: Devin's Co-Authored-By trailer is present ✓, but if GLM-5.2 also produced code / tests / docs (as noted on #2549), it should have its own trailer. Please also add one line to the PR description stating which agent did which stage — design / implementation / tests / review.
  • Test-plan item 4 — “existing corsTests still cover runtime behavior” isn't quite right: those tests predate this PR and can't cover the newly-added warning + enriched-error paths. Either run browser CI and check the box, or replace the note with an honest “browser paths not exercised locally”. (Related: AGENTS.md §8.6 now prefers a prose description of what was actually verified over a boilerplate test-plan checklist — no need to restructure this PR, just heads-up for the next one.)


import 'cors.dart';

export 'cors.dart' show corsPreflightReason;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This export makes corsPreflightReason a permanent public API of dio_web_adapter, but the test file already imports it via package:dio_web_adapter/src/cors.dart and doesn't need the export. Unless we intentionally want to expose this as a downstream API (with a CHANGELOG note and awareness that future signature changes would be breaking), please remove the export. Adding public surface for testing only is a compat trap.

// Detect configurations that will trigger a CORS preflight request so we
// can warn the developer and enrich the eventual error message.
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests
final preflightReasons = <String>[

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The three new branches added by this PR — willRegisterUploadListener (sendTimeout / onSendProgress), withCredentials, and the enriched onError message construction below — are not exercised by the new tests. All 15 tests cover only corsPreflightReason (the pure helper). The coverage bump on this file (19.27% → 22.41%) doesn't show whether these specific lines were hit. Could you either add a browser-side integration case in dio_test for these paths, or lift them into pure helpers alongside corsPreflightReason so they can be unit-tested too?

);
}
if (preflightReasons.isNotEmpty) {
warningLog(

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fire on essentially every JSON POST in every dio-on-Web app — including the (very common) case where the backend handles CORS preflight correctly. Would you consider an opt-out (e.g., an option on the adapter, or a setter akin to debugPrint), or dropping the log to a lower verbosity when the app has no way to know whether preflight succeeded? A permanent warning per request seems louder than the underlying issue warrants.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Prompt for not simple requests on Web

2 participants