#1985 mod_unified_push: Support OPTIONS requests for CORS (open)

#1985 mod_unified_push: Support OPTIONS requests for CORS

Reporter	Christian Weiske
Owner	Nobody
Created	2026-02-19
Updated	2026-02-19
Stars	★ (1)
Tags	Priority-Medium Status-New Type-Enhancement

Christian Weiske on 2026-02-19
Description of feature: mod_unified_push[1] should not only handle POST requests, but also OPTIONS requests and send out CORS headers. In the response to the OPTIONS request, mod_unified_push should send a "Access-Control-Allow-Origin: *" header. Motivation: I installed mod_unified_push[1] and have issues getting the UnifiedPush feature work between Nextcloud, mod_unified_push, Conversations and DAVx5. To test this, I installed the UP-Example Android app[2] which provides a way to test pushes via the app and a web form. Sending via this HTML web form does not work. The web form at https://unifiedpush.org/test_wp.html#endpoint=https://cweiske.de:5281/push/v3.local.Mhz6.... uses JavaScript to send the message. When sending data with JavaScript to a foreign domain, the browser first sends a HTTP OPTIONS request to see if the remote server is fine with random javascript code sending data to it. mod_unified_push does not react to those OPTIONS requests, the browser never gets a CORS "Access-Control-Allow-Origin" header in the response, and the javascript code may never send the test push request. [1] https://modules.prosody.im/mod_unified_push [2] https://f-droid.org/de/packages/org.unifiedpush.example/ [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS
Christian Weiske on 2026-02-19
This is with prosody 13.0.1-1 and prosody-modules 0.0~hg20250402.f315edc39f3d+dfsg-2 from Debian 13.
Christian Weiske on 2026-02-19
Prosody / mod_unified_push does indeed respond to an OPTIONS request and delivers CORS headers: > Access-Control-Allow-Headers: Content-Type > Access-Control-Allow-Methods: OPTIONS, GET, POST > Access-Control-Allow-Origin: https://unifiedpush.org > Access-Control-Max-Age: 7200 Nevertheless Firefox says "CORS Missing Allow Header". In the OPTIONS request Firefox sends: > Access-Control-Request-Headers: content-encoding,ttl The response header "Access-Control-Allow-Headers" doesn't list those two headers.
Christian Weiske on 2026-02-19
Thanks to @Zash I found a solution: Add the two additional headers to the list of allowed headers in prosody's configuration: ``` -- http cors fix for mod_unified_push http_cors_override = { push = { enabled = true; headers = { ["content-encoding"] = true; ttl = true; } } } ```

Christian Weiske on 2026-02-19

Description of feature: mod_unified_push[1] should not only handle POST requests, but also OPTIONS requests and send out CORS headers. In the response to the OPTIONS request, mod_unified_push should send a "Access-Control-Allow-Origin: *" header. Motivation: I installed mod_unified_push[1] and have issues getting the UnifiedPush feature work between Nextcloud, mod_unified_push, Conversations and DAVx5. To test this, I installed the UP-Example Android app[2] which provides a way to test pushes via the app and a web form. Sending via this HTML web form does not work. The web form at https://unifiedpush.org/test_wp.html#endpoint=https://cweiske.de:5281/push/v3.local.Mhz6.... uses JavaScript to send the message. When sending data with JavaScript to a foreign domain, the browser first sends a HTTP OPTIONS request to see if the remote server is fine with random javascript code sending data to it. mod_unified_push does not react to those OPTIONS requests, the browser never gets a CORS "Access-Control-Allow-Origin" header in the response, and the javascript code may never send the test push request. [1] https://modules.prosody.im/mod_unified_push [2] https://f-droid.org/de/packages/org.unifiedpush.example/ [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS

This is with prosody 13.0.1-1 and prosody-modules 0.0~hg20250402.f315edc39f3d+dfsg-2 from Debian 13.

Prosody / mod_unified_push does indeed respond to an OPTIONS request and delivers CORS headers: > Access-Control-Allow-Headers: Content-Type > Access-Control-Allow-Methods: OPTIONS, GET, POST > Access-Control-Allow-Origin: https://unifiedpush.org > Access-Control-Max-Age: 7200 Nevertheless Firefox says "CORS Missing Allow Header". In the OPTIONS request Firefox sends: > Access-Control-Request-Headers: content-encoding,ttl The response header "Access-Control-Allow-Headers" doesn't list those two headers.

Thanks to @Zash I found a solution: Add the two additional headers to the list of allowed headers in prosody's configuration: ``` -- http cors fix for mod_unified_push http_cors_override = { push = { enabled = true; headers = { ["content-encoding"] = true; ttl = true; } } } ```

#1985 mod_unified_push: Support OPTIONS requests for CORS

New comment