Add PATCH to CORS allowed request methods (#24373)

* add PATCH to cors request methods * changelog
2025-10-30 02:02:43 +00:00 · 2023-12-07 11:27:35 +01:00
parent 8a46bee768
commit 959d548ac6
3 changed files with 26 additions and 0 deletions
--- a/changelog/24373.txt
+++ b/changelog/24373.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+http: Include PATCH in the list of allowed CORS methods
+```
--- a/http/cors.go
+++ b/http/cors.go
@@ -18,6 +18,7 @@ var allowedMethods = []string{
 	http.MethodOptions,
 	http.MethodPost,
 	http.MethodPut,
+	http.MethodPatch,
 	"LIST", // LIST is not an official HTTP method, but Vault supports it.
 }

--- a/http/handler_test.go
+++ b/http/handler_test.go
@@ -118,6 +118,28 @@ func TestHandler_parseMFAHandler(t *testing.T) {
 	}
 }

+// TestHandler_CORS_Patch verifies that http PATCH is included in the list of
+// allowed request methods
+func TestHandler_CORS_Patch(t *testing.T) {
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	corsConfig := core.CORSConfig()
+	err := corsConfig.Enable(context.Background(), []string{addr}, nil)
+	require.NoError(t, err)
+	req, err := http.NewRequest(http.MethodOptions, addr+"/v1/sys/seal-status", nil)
+	require.NoError(t, err)
+
+	req.Header.Set("Origin", addr)
+	req.Header.Set("Access-Control-Request-Method", http.MethodPatch)
+
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+}
+
 func TestHandler_cors(t *testing.T) {
 	core, _, _ := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)