First, thanks for the help so far with CORS.
When setting config.cors = true everything works as expected.
The preflight OPTIONS request succeeds unauthenticated and Access-Control-Allow-Origin: ‘*’ is returned in the response headers
The GET/POST/PUT/DELETE also returns Access-Control-Allow-Origin: ‘*’ as a header value…allowing the browser to accept the response.
Unfortunately the above scenario seems to be the only one where CORS is successful.
If I set config.cors to any value other than true what happens is:
The preflight OPTIONS request succeeds unauthenticated and Access-Control-Allow-Origin is returned in the headers with the value in the configuration for config.cors
eg. if config.cors = ‘http://www.example.com’ is configured Access-Control-Allow-Origin: ‘http://www.example.com’ is returned in response headers…the same goes for config.cors = ‘*’ - in this case Access-Control-Allow-Origin: ‘*’ is in the OPTIONS response headers as expected.
The GET/POST/PUT/DELETE DOES NOT CONTAIN Access-Control-Allow-Origin as a response header value…so even though we get a 200/201 back on this call, the browser rejects.