Per the docs, for REST API gateway "if the endpoint config has CORS set to true, the plugin will use the CLI CORS options for the associated route. Otherwise, no CORS headers will be added." We have a custom header in our CORS configuration which prevents us from using cors: true. In my opinion, if the CLI params corsAllowHeaders and corsAllowOrigin are provided it should override template values for any endpoint with CORS configuration, not just endpoints with cors: true.
If others disagree an additional flag --corsAllowAll which sends * value for all CORS headers will allow serverless offline to support local development when a team has a custom CORS configuration. Perhaps both of these changes should be made.
Expected behavior/code
User values for CLI params corsAllowHeaderscorsAllowOrigin should override template values for all endpoints with a CORS config, and/or when user adds --corsAllowAll flag * value is used for all CORS headers on all endpoints (Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, etc).
Feature Request
Per the docs, for REST API gateway "if the endpoint config has CORS set to true, the plugin will use the CLI CORS options for the associated route. Otherwise, no CORS headers will be added." We have a custom header in our CORS configuration which prevents us from using
cors: true
. In my opinion, if the CLI paramscorsAllowHeaders
andcorsAllowOrigin
are provided it should override template values for any endpoint with CORS configuration, not just endpoints withcors: true
.If others disagree an additional flag
--corsAllowAll
which sends*
value for all CORS headers will allow serverless offline to support local development when a team has a custom CORS configuration. Perhaps both of these changes should be made.Expected behavior/code
User values for CLI params
corsAllowHeaders
corsAllowOrigin
should override template values for all endpoints with a CORS config, and/or when user adds--corsAllowAll
flag*
value is used for all CORS headers on all endpoints (Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, etc).