Closed forana closed 3 years ago
Hi,
I agree that that section may benefit for a clarification. It would be great if you could suggest a change!
Hi,
I agree that that section may benefit for a clarification. It would be great if you could suggest a change!
Made a PR: https://github.com/falconry/falcon/pull/1933 - happy to update that however maintainers would like.
A tired/frustrated reader (such as myself) might see https://falcon.readthedocs.io/en/stable/api/cors.html#usage and incorrectly interpret the example code comments to mean that a "correct" solution requires both setting
cors_enable=True
in theApp
constructor, and passing afalcon.CORSMiddleware
object to it. This is incorrect, but in a very subtle way - because theCORSMiddleware
header effectively consumes theAllow
header from the response (https://github.com/falconry/falcon/blob/7efb46f4068428eb62b422b4b3c2e40129e5a914/falcon/middleware.py#L112-L113), a request including theAccess-Control-Request-Method
header will receive a response withaccess-control-allow-methods: None
.