When running an API that had only some resources available for CORS setting the global allowCrossDomain = false caused Access-Control-Allow-Headers to be output twice as i was sorting the cors like the below.
Presumably the line of code in the api.cfc is set up to check the length of allowCrossDomain as you can put in a list of domains, but with false also being treated as a string it also then passes this check.
Its not a huge issues and the workaround was to set allowCrossDomain to an empty string - Running taffy 3.1.
CF 2016 / Taffy 3.1 / Java 15.0.1
https://github.com/atuttle/Taffy/blob/3cefedfa5b85d1c023102559584f20e3bfd4ba7b/core/api.cfc#L249
When running an API that had only some resources available for CORS setting the global
allowCrossDomain = false
causedAccess-Control-Allow-Headers
to be output twice as i was sorting the cors like the below.Presumably the line of code in the api.cfc is set up to check the length of
allowCrossDomain
as you can put in a list of domains, but withfalse
also being treated as a string it also then passes this check.Its not a huge issues and the workaround was to set
allowCrossDomain
to an empty string - Running taffy 3.1.