CORS preflight fails because of custom user-agent header

[davidsandoz]

Doing a request with the SDK from the browser doesn't work any more. The CORS preflight OPTIONS request fails with the following error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.flickr.com/services/rest?method=flickr.photosets.getPhotos&[...]. (Reason: header ‘user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

The response to the CORS preflight request has the header access-control-allow-origin set to *, which is good, but it also requests that there is an access-control-allow-headers set to user-agent.

This is a bug I noticed only now, but I believe was introduced with #156. I didn't notice before because I was doing the requests from a server-side rendered home page. So it was only visible when initially loading another page of my website and then going to the home page.

I'm not sure that adding the header access-control-allow-headers to the CORS response is the solution. It is actually not really appropriate that the request is sent from the browser with a custom user-agent header. It should be sent with the browser user-agent value. So ideally, the custom user-agent header should be set only when requests are sent from the server-side.

As, in the end, it will not be mandatory any more to provide a user-agent to call the Flickr API, then maybe the simplest solution is to revert dc79a7a28c8382e84c633165258b415a8408b77c?

[jeremyruppel]

Thanks for the great writeup! This should be fixed since #161 (thanks @seleb) and is available in v6.3.0

[davidsandoz]

Thank you for the fix, @seleb! 👍