Closed mario-minati closed 5 years ago
Access-Control-Allow-Headers
is automatically set to value of Access-Control-Request-Headers
. Can you please explain why this doesn't work for you?
Looking at the source the _request()
sub runs on the after_render
hook. For routes that have not set any cors
or under_strict_cors
setting only the code of _request()
runs, right?
In the code of _request()
sub, theres is not taken care of $opt{header}
setting.
The Access-Control-Allow-Headers
header is only taken care of in the _preflight()
sub.
We try to set the Access-Control-Allow-Headers
header application wide for all routes.
Why do you need this? If you'll take a look at spec you'll notice this header is supposed to be used only as part of the response to a preflight request.
I feared that was against the spec. We are experimenting with different ways to add CORS to an OpenAPI interface. We thought using this module could be quick solution by setting CORS attributes application wide.
As the Mojolicious::Plugin::OpenAPI handles the OPTIONS request itself, we might not be able to combine it with the Mojolicious::Plugin::SecureCORS module. Instead we'll dig deeper into Mojolicious::Plugin::OpenAPI::Cors with which we had troubles, too.
The
after_render
hook only set's the after_renderAccess-Control-Expose-Headers
header field, but it is impossible to set theAccess-Control-Allow-Headers
header.