How do you handle different browsers requesting different headers?

[matids]

Hi Guys,

I'm facing a situation where different browsers (Safari, Mobile Safari, and Chrome) are requesting different headers, of course that I can add each header manually but I'm afraid a new version of any of the browsers will request a new header in the future and my app will stop working. Since you cannot use wildcards on the Allow-Headers, wouldn't it be nice to add an option in the config to respond with the requested headers?

I added this to the CorsFilter file:

resp.addHeader("Access-Control-Allow-Headers",req.getHeader("Access-Control-Request-Headers"));

And it's working fine for me.

What are your thoughts about this? Can this be seen as a security flaw?

Thanks!

Matias

[davidtinker]

I am not sure about the security implications. But this should probably not be the default just in case there are problems. If you do a PR to make this the behaviour if Access-Control-Allow-Headers == '*' I will merge it. Tx.

[pablitar]

@davidtinker Hey, I've implemented the change and made a PR. See here: https://github.com/davidtinker/grails-cors/pull/40.

Thank you!