I've been trying to get Vulcain working in a situation where CORS is necessary. At the moment it seems to me that browsers are blocking preload requests, because the generated link headers do not include the crossorigin attribute (docs).
I'd propose adding crossorigin=anonymous, if the Access-Control-Allow-Origin header is present. And crossorigin=use-credentials, if the Access-Control-Allow-Credentials header is true (docs).
However, I'm not entirely sure what should happen, if the related resources are owned by different API-s (e.g. bookapi.com/book/1 is referencing authorapi.com/author/2). In that case the abovementioned could not be implied from the response headers.
Since the Link headers are added by Vulcain, there's no way for the upstream to handle this or is there?
I've been trying to get Vulcain working in a situation where CORS is necessary. At the moment it seems to me that browsers are blocking preload requests, because the generated link headers do not include the
crossoriginattribute (docs).I'd propose adding
crossorigin=anonymous, if theAccess-Control-Allow-Originheader is present. Andcrossorigin=use-credentials, if theAccess-Control-Allow-Credentialsheader istrue(docs).However, I'm not entirely sure what should happen, if the related resources are owned by different API-s (e.g.
bookapi.com/book/1is referencingauthorapi.com/author/2). In that case the abovementioned could not be implied from the response headers.Since the
Linkheaders are added by Vulcain, there's no way for the upstream to handle this or is there?