Open fusionbeam opened 1 month ago
For PostgREST to return Access-Control-Allow-Headers
you'll need to add the header Access-Control-Request-Headers
in the CORS pre-flight request. It will include the header that you specify there in the list of allowed headers by default. For example:
curl -X OPTIONS "http://localhost:3000/todos" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: X-App-Id" \
-H "Origin: http://www.example.com" -i
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 22 May 2024 18:12:48 GMT
Server: postgrest/12.1 (b6c6f2b)
X-Request:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Authorization, X-App-Id, Accept, Accept-Language, Content-Language
Access-Control-Max-Age: 86400
AFAIK the browser adds Access-Control-Request-Headers
to the pre-flight, when specifying headers in a fetch()
, for instance.
Environment
Description of issue
I am trying to add a custom header (x-app-id) to postgrest requests. My intention is to use the value of this header in RLS policies. I noticed PostGREST has no way to add this header to the list of allowed headers: Access-Control-Allow-Headers
Would you consider supporting controlling the allowed headers via a configuration parameter similar to server-cors-allowed-origins ? It would be something like:
server-cors-allowed-headers="Authorization, Content-Type, Accept, Accept-Language, Content-Language, X-App"
or to just configure the extra headers:server-cors-allowed-headers="X-App"
Thank you, Ra