CORS issue on HashIO

[pathornteng]

Description

Currently, the JSON RPC relay does not return the correct CORS header when it receives an OPTIONS request from the browser. The OPTIONS request is automatically sent to the server as part of the preflight process. Therefore, if the response during the preflight is not correct, the browser will not send a real request and throw an error as follow

Steps to reproduce

Go to the following website https://cors-test.codehappy.dev/?url=https%3A%2F%2Ftestnet.hashio.io%2Fapi&origin=https%3A%2F%2Fcors-test.codehappy.dev%2F&method=options

Choose OPTIONS and then click test.

The following is the response from HashIO testnet server and it indicates that the header in the response does not contain access-control-allow-origin

Additional context

No response

Hedera network

mainnet, testnet, previewnet

Version

latest

Operating system

None

[Nana-EC]

To clarify we use koa-cors so you can see the default options here. access-control-allow-origin is set to * by default so I'm not sure this is the problem. Per your description it's more likely the Access-Control-Allow-Methods can you confirm this?

If you do want to configure the cors options the best approach would be to add support for an env variable that let's a relay operator set their desired cors header e.g. access-control-allow-origin. You can see examples of how it'd be set here https://github.com/koajs/cors/blob/master/test/cors.test.js

Also in the relay we'd do this in the server.ts file (eventually in a separate middleware file)

[Nana-EC]

Actually i think the issue might simply be that the relay does not support HTTP OPTIONS requests, as the cors details are configured as noted.

The only API requests we support with use cases are GET and POST. Is your app explicitly calling the OPTIONS method in advance to understand the server capabilities or is there some other scenario that's notable here?