Closed wiki1000 closed 1 month ago
Hi @wiki1000, I was trying to reproduce your issue (successfully) and created following PR #2943.
/bounty $75
CC @jgoday
/attempt #2941
with your implementation plan/claim #2941
in the PR body to claim the bountyThank you for contributing to zio/zio-http!
Add a bounty • Share on socials
Attempt | Started (GMT+0) | Solution |
---|---|---|
🟢 @jgoday | Jul 30, 2024, 7:31:33 PM | #2943 |
/attempt #2941 The problem seems to be that the options routes, which handle the cors preflight request, were being added last, so the corsHeaders was not being correctly called
💡 @jgoday submitted a pull request that claims the bounty. You can visit your bounty board to reward.
@jgoday: You've been awarded a $75 bounty by ZIO! 👉 Complete your Algora onboarding to collect the bounty.
Describe the bug in 3.0.0-RC9 CorsConfig 'allowedHeaders' parameter generates an Access-Control-Expose-Headers header in Http responses in lieu of the 'Access-Control-Allow-Headers' header.
To Reproduce Steps to reproduce the behaviour:
the CorsConfig is :
and after
The browser triggers a CORS error, which disappears if the header Access-Control-Allow-Headers is added manually as proposed here in the example with the commented "addHeader" line.
The following html is provided to a Chrome Browser activating automatically CORS with the "Origin: null" header:
Expected behaviour
The specified OPTIONS request response shall return among the response headers: `access-control-allow-headers: *
and not `access-control-expose-headers: *
Desktop (please complete the following information):
Additional context The absence of access-control-allow-headers header is visible in the chrome console, and also in a curl request activating CORS: