Doing a request with the SDK from the browser doesn't work any more. The CORS preflight OPTIONS request fails with the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.flickr.com/services/rest?method=flickr.photosets.getPhotos&[...]. (Reason: header ‘user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
The response to the CORS preflight request has the header access-control-allow-origin set to *, which is good, but it also requests that there is an access-control-allow-headers set to user-agent.
This is a bug I noticed only now, but I believe was introduced with #156.
I didn't notice before because I was doing the requests from a server-side rendered home page. So it was only visible when initially loading another page of my website and then going to the home page.
I'm not sure that adding the header access-control-allow-headers to the CORS response is the solution. It is actually not really appropriate that the request is sent from the browser with a custom user-agent header. It should be sent with the browser user-agent value. So ideally, the custom user-agent header should be set only when requests are sent from the server-side.
As, in the end, it will not be mandatory any more to provide a user-agent to call the Flickr API, then maybe the simplest solution is to revert dc79a7a28c8382e84c633165258b415a8408b77c?
Doing a request with the SDK from the browser doesn't work any more. The CORS preflight
OPTIONS
request fails with the following error:Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.flickr.com/services/rest?method=flickr.photosets.getPhotos&[...]. (Reason: header ‘user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
The response to the CORS preflight request has the header
access-control-allow-origin
set to*
, which is good, but it also requests that there is anaccess-control-allow-headers
set touser-agent
.This is a bug I noticed only now, but I believe was introduced with #156. I didn't notice before because I was doing the requests from a server-side rendered home page. So it was only visible when initially loading another page of my website and then going to the home page.
I'm not sure that adding the header
access-control-allow-headers
to the CORS response is the solution. It is actually not really appropriate that the request is sent from the browser with a customuser-agent
header. It should be sent with the browseruser-agent
value. So ideally, the customuser-agent
header should be set only when requests are sent from the server-side.As, in the end, it will not be mandatory any more to provide a
user-agent
to call the Flickr API, then maybe the simplest solution is to revert dc79a7a28c8382e84c633165258b415a8408b77c?