HTTPException instances caught fail to preserve important response headers.

[amcgregor]

Notably especially for CORS, certain headers should be preserved regardless of final outcome, such as the Allow header identifying the HTTP verbs that are allowed, a la an OPTIONS request. Exceptions generated by extensions (such as ACL verification failure, incoming data transformation) or via in-endpoint raise currently replace context.response with the exception (since it is a valid WSGI application and Response instance), nuking any cooperative changes that have been made to the original.

On exception, all response headers excepting content headers should be transferred.

[amcgregor]

HTTP exceptions are caught and utilized as if they were a value returned by the endpoint, ultimately applied to the context by the BaseExtension registered render_response view, as HTTPException objects are themselves Response instances, WSGI applications. 2840daf now transfers a subset of headers from the existing cooperatively-populated Response instance:

• Any header starting with:
  • Access-
  • Cross-
  • Content-
  • X-
• Any header containing Origin.
• Any of the following explicit inclusions:
  • Allow
  • Server
  • Strict-Transport-Security
  • Upgrade-Insecure-Requests
  • Set-Cookie