In CherryPy I can prevent the Handler from running by setting cherrypy.request.handler = None in a Tool. But how can I prevent other tools from running?
Specifically JS/AJAX likes to make an Options request without the Authorization (and other non-standard) header(s).
So I set my cors Tool to be before my Auth checking tool and as a workaround in my Auth checking tool I first check wither method is OPTIONS, if it is Options I pass, otherwise I expect the Authorization header.
The problem is this is not secure. The actual static file is returned by another tool. This is a standard tool (cherrypy static file tool) so I can't modify it. Basically by sending an Options request a user might be able to read arbitrary data. So How do I prevent any other Tools from running?
As it happens my testing shows that currently the Static Files tool doesn't actually return the image on an OPTIONS request. I'm guessing this is intentional behaviour, but depending on this seems insecure.