SaschaAdler
commented
5 years ago Solved by https://github.com/crkn-rcdr/upholstery/commit/a0ddc0e5b8e78f9dd891dd862d21a26bfa0441da, which also allows CORS requests in general. Origin is set to * because upholstery will reject non-authorized requests regardless of origin.
fetch()uses a pre-flightOPTIONSrequest to let the server know that a fancy CORS thing is about to happen. This request does not have the Authorization header set, and so it will fail in upholstery as things currently work.