Closed akrabat closed 6 years ago
I think this is important for the OPTIONS
preflight, it looks like client can specify the headers that the valid requests are intended to send.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Request-Headers
The Access-Control-Request-Headers header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made.
Given this web action:
This JS call in a browser will fail:
With an error message in the Chrome console of:
This is because
defaultCorsResponse
sends backAccess-Control-Allow-Headers
ofAuthorization
andContent-Type
only.What should happen is that
Access-Control-Allow-Headers
should be whatever was sent inAccess-Control-Request-Headers
.