Send in a CORS preflight request with following header:
'''
Access-Control-Request-Method: http://example.com
'''
The returned status code is 500. This is an client error so the reasonable status is 400.
The root cause is the CorsMessageHandler tries to create inner preflight message request with the value of this header without validating it. It is none of the http methods names so cause exception.
Suggest fix is to capture the exception and interrupt it as client error.
Comments: Fixed by: https://aspnetwebstack.codeplex.com/SourceControl/changeset/74e209d57400432e09be40ade466911a4ffc1ed4
'''
Access-Control-Request-Method: http://example.com
'''
The returned status code is 500. This is an client error so the reasonable status is 400.
The root cause is the CorsMessageHandler tries to create inner preflight message request with the value of this header without validating it. It is none of the http methods names so cause exception.
Suggest fix is to capture the exception and interrupt it as client error.
Comments: Fixed by: https://aspnetwebstack.codeplex.com/SourceControl/changeset/74e209d57400432e09be40ade466911a4ffc1ed4