TomasKulhanek
commented
5 years ago ProvStore accept CORS - but in case-sensitive manner. HTTP Header names should be case insensitive thus the server running ProvStore breach specification.
Fetch API sends Access-Control-Request-Headers: authorization,content-type. If manually sending Access-Control-Request-Headers: Authorization,Content-type it is accepted by provstore server.
Sent to Provstore authors: VF UI need to store provenance document on user's behalf within provstore instance. Using any backend technology, POST method can be sent directly. However, using browser application, standard browser (Firefox, IE, Edge, Chrome) recognize POST request with custom headers as potentially unsafe and initiate pre-flight OPTIONS request whether POST and custom headers are safe.
Host: openprovenance.org User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Access-Control-Request-Method: POST Access-Control-Request-Headers: authorization,content-type Origin: http://localhost:8081 Connection: keep-alive
Unfortunately Provstore server responds HTTP 301 instead. Thus it's recognized as not accepting POST and the 'authorization, content-type' headers. It should return at least
Access-Control-Allow-Methods: POST Access-Control-Allow-Headers: authorization,content-type
See further information at https://en.wikipedia.org/wiki/Cross-origin_resource_sharing