When setting config.cors = true everything works as expected.
The preflight OPTIONS request succeeds unauthenticated and Access-Control-Allow-Origin: ‘*’ is returned in the response headers
The GET/POST/PUT/DELETE also returns Access-Control-Allow-Origin: ‘*’ as a header value…allowing the browser to accept the response.
Unfortunately the above scenario seems to be the only one where CORS is successful.
If I set config.cors to any value other than true what happens is:
The preflight OPTIONS request succeeds unauthenticated and Access-Control-Allow-Origin is returned in the headers with the value in the configuration for config.cors eg. if config.cors = ‘http://www.example.com’ is configured Access-Control-Allow-Origin: ‘http://www.example.com’ is returned in response headers…the same goes for config.cors = ‘*’ - in this case Access-Control-Allow-Origin: ‘*’ is in the OPTIONS response headers as expected.
The GET/POST/PUT/DELETE DOES NOT CONTAINAccess-Control-Allow-Origin as a response header value…so even though we get a 200/201 back on this call, the browser rejects.
Thanks @tung . I should ask if you would prefer I open issues in github rather than through here? I come here really with the assumption that I am most likely doing something wrong.
On a related note…please tell me to go read the manual if it is in there, though I don’t recall seeing it…is it possible to set custom response headers at the controller level?
I should ask if you would prefer I open issues in github rather than through here? I come here really with the assumption that I am most likely doing something wrong.
Np. Sure, prefer issues when they have all the info required: reproducibility, code samples, etc. Trying to keep the GitHub issues signal-to-noise ratio high. The info gathering is so helpful to fix things quickly. For questions, think these community forums are better since usually not all the info is gathered yet.
RE: is it possible to set custom response headers at the controller level?
All good. Here are examples of how to set a response header.