Add preflight OPTIONS handling and update CORS config #4086
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Couple of tweaks to our CORS configuration and how we handle
OPTIONS
requests. This update is geared towards making our service more compatible with clients originally designed to work with OpenAI, where sending anAuthorization
header is common.Details of Changes
Handling OPTIONS Requests: I added a quick return for
OPTIONS
requests in ourallowedHostsMiddleware
. This means we're now ending these preflight requests with a 204 (No Content) status right off the bat.Updating CORS for Authorization Headers: Since some of the Ollama clients automatically send an
Authorization
header (because they're set up for OpenAI), I've updated our CORS config to accept these headers. This is needed for making sure these clients can interact with our service without hitting CORS.Security
Since we're not currently using the
Authorization
header for our own authentication, allowing this header doesn't open us up to new security risks as long as we don't have auth.Enabling the
OPTIONS
method is mainly about letting browsers do their preflight check when they see thatAuthorization
header. It's pretty standard and doesn't pose a direct risk by itself as far as I am aware.resolves #4001
resolves #3983
resolves ollama/ollama-js#80