github-actions[bot]
commented
4 months ago This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.
Open ericwhitefield opened 1 year ago
github-actions[bot]
commented
4 months ago This issue has been stale for 60 days and will be closed automatically in 7 days. Comment to keep it open.
Rajakavitha1
commented
2 months ago Hi @ericwhitefield Thank you for reporting the issue. I am yet to validate all the expected reponses that you mentioned. However, the last response that you mentioned works as expected because the docs does specify that:
https://cloud.dgraph.io is always allowed so that API explorer, in Dgraph Cloud console, continues to work.
Documentation here: https://dgraph.io/docs/graphql/security/cors/
Claims that adding config line(s) to the bottom of the Schema file will modify the Response header accordingly.
Perhaps "star" would be a special case. Or perhaps not. The Docs do not specify if a "star" would cause the Response header to contain "star", OR if the header would echo back the Referrer header of the Request. Either way, it's not currently working.
For specifically listed domains one might assume the Response header would echo back the Request's "Referrer" header.
Expected response header:
Actual response header: ❌
Expected response header from a request from https://localhost:3000
Actual response header: ❌
Expected response header from a request from https://example.com
Actual response header: ❌
Expected response header from a request from https://cloud.dgraph.io
Actual response header: ✅