powerman
commented
5 years ago Access-Control-Allow-Headers is automatically set to value of Access-Control-Request-Headers. Can you please explain why this doesn't work for you?
Closed mario-minati closed 5 years ago
powerman
commented
5 years ago Access-Control-Allow-Headers is automatically set to value of Access-Control-Request-Headers. Can you please explain why this doesn't work for you?
mario-minati
commented
5 years ago Looking at the source the _request() sub runs on the after_render hook. For routes that have not set any cors or under_strict_cors setting only the code of _request() runs, right?
In the code of _request() sub, theres is not taken care of $opt{header} setting.
The Access-Control-Allow-Headers header is only taken care of in the _preflight() sub.
We try to set the Access-Control-Allow-Headers header application wide for all routes.
powerman
commented
5 years ago Why do you need this? If you'll take a look at spec you'll notice this header is supposed to be used only as part of the response to a preflight request.
mario-minati
commented
5 years ago I feared that was against the spec. We are experimenting with different ways to add CORS to an OpenAPI interface. We thought using this module could be quick solution by setting CORS attributes application wide.
As the Mojolicious::Plugin::OpenAPI handles the OPTIONS request itself, we might not be able to combine it with the Mojolicious::Plugin::SecureCORS module. Instead we'll dig deeper into Mojolicious::Plugin::OpenAPI::Cors with which we had troubles, too.
The
after_renderhook only set's the after_renderAccess-Control-Expose-Headersheader field, but it is impossible to set theAccess-Control-Allow-Headersheader.