feat: warn about CORS preflight requests on Web#2556
Conversation
Detect when a request is not a CORS "simple request" and will trigger a preflight (OPTIONS) request, then emit a warning log and enrich the XMLHttpRequest.onError message with CORS guidance. Closes #2201 Generated with [Devin](https://devin.ai) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Code Coverage Report: Only Changed Files listed
Minimum allowed coverage is |
AlexV525
left a comment
There was a problem hiding this comment.
Thanks for driving this — the extraction of corsPreflightReason into a pure, testable helper is a nice touch, the CHANGELOG entry is clean, and feat/web-cors-preflight-warning already matches the branch-naming convention that just landed in AGENTS.md. Left three inline comments on the substantive points; a few AGENTS.md formalities below.
AGENTS.md formalities (fixup, or a follow-up)
- Commit / PR title should be gitmoji + Conventional per AGENTS.md §8.2 —
✨ feat: warn about CORS preflight requests on Web. - AI attribution disclosure per §8.3: Devin's
Co-Authored-Bytrailer is present ✓, but if GLM-5.2 also produced code / tests / docs (as noted on #2549), it should have its own trailer. Please also add one line to the PR description stating which agent did which stage — design / implementation / tests / review. - Test-plan item 4 — “existing
corsTestsstill cover runtime behavior” isn't quite right: those tests predate this PR and can't cover the newly-added warning + enriched-error paths. Either run browser CI and check the box, or replace the note with an honest “browser paths not exercised locally”. (Related: AGENTS.md §8.6 now prefers a prose description of what was actually verified over a boilerplate test-plan checklist — no need to restructure this PR, just heads-up for the next one.)
|
|
||
| import 'cors.dart'; | ||
|
|
||
| export 'cors.dart' show corsPreflightReason; |
There was a problem hiding this comment.
This export makes corsPreflightReason a permanent public API of dio_web_adapter, but the test file already imports it via package:dio_web_adapter/src/cors.dart and doesn't need the export. Unless we intentionally want to expose this as a downstream API (with a CHANGELOG note and awareness that future signature changes would be breaking), please remove the export. Adding public surface for testing only is a compat trap.
| // Detect configurations that will trigger a CORS preflight request so we | ||
| // can warn the developer and enrich the eventual error message. | ||
| // See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests | ||
| final preflightReasons = <String>[ |
There was a problem hiding this comment.
The three new branches added by this PR — willRegisterUploadListener (sendTimeout / onSendProgress), withCredentials, and the enriched onError message construction below — are not exercised by the new tests. All 15 tests cover only corsPreflightReason (the pure helper). The coverage bump on this file (19.27% → 22.41%) doesn't show whether these specific lines were hit. Could you either add a browser-side integration case in dio_test for these paths, or lift them into pure helpers alongside corsPreflightReason so they can be unit-tested too?
| ); | ||
| } | ||
| if (preflightReasons.isNotEmpty) { | ||
| warningLog( |
There was a problem hiding this comment.
This will fire on essentially every JSON POST in every dio-on-Web app — including the (very common) case where the backend handles CORS preflight correctly. Would you consider an opt-out (e.g., an option on the adapter, or a setter akin to debugPrint), or dropping the log to a lower verbosity when the app has no way to know whether preflight succeeded? A permanent warning per request seems louder than the underlying issue warrants.
Summary
warningLogexplaining why (non-safelisted method, custom headers, non-simple Content-Type, upload progress listener, orwithCredentials).XMLHttpRequest.onErrorerror message with CORS guidance when the request was preflighted, so users see a actionable hint instead of a generic network error.lib/src/cors.dart(corsPreflightReason) so it can be unit-tested on the VM without a browser.Closes #2201.
Test plan
dart analyze— no issuesdart format— applieddart test test/cors_preflight_test.dart -p vm— 15 tests passdio_test) — existingcorsTestsstill cover runtime behaviorGenerated with Devin