I've been trying to get Vulcain working in a situation where CORS is necessary. At the moment it seems to me that browsers are blocking preload requests, because the generated link headers do not include the crossorigin attribute (docs).
I'd propose adding crossorigin=anonymous, if the Access-Control-Allow-Origin header is present. And crossorigin=use-credentials, if the Access-Control-Allow-Credentials header is true (docs).
However, I'm not entirely sure what should happen, if the related resources are owned by different API-s (e.g. bookapi.com/book/1 is referencing authorapi.com/author/2). In that case the abovementioned could not be implied from the response headers.
Since the Link headers are added by Vulcain, there's no way for the upstream to handle this or is there?
I've been trying to get Vulcain working in a situation where CORS is necessary. At the moment it seems to me that browsers are blocking preload requests, because the generated link headers do not include the
crossorigin
attribute (docs).I'd propose adding
crossorigin=anonymous
, if theAccess-Control-Allow-Origin
header is present. Andcrossorigin=use-credentials
, if theAccess-Control-Allow-Credentials
header istrue
(docs).However, I'm not entirely sure what should happen, if the related resources are owned by different API-s (e.g.
bookapi.com/book/1
is referencingauthorapi.com/author/2
). In that case the abovementioned could not be implied from the response headers.Since the
Link
headers are added by Vulcain, there's no way for the upstream to handle this or is there?