Fix Access-Control-Allow-Headers to match exact headers#390
Conversation
| res.header('Access-Control-Allow-Origin', '*'); | ||
| res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); | ||
| res.header('Access-Control-Allow-Headers', '*'); | ||
| res.header('Access-Control-Allow-Headers', 'X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, Content-Type'); |
There was a problem hiding this comment.
Are the keys limited because it's only for browser-based requests? (i.e. no master key header).. If so, not sure the REST header should be included?
There was a problem hiding this comment.
Yes, you are right, it is for browser requests only.
I just copied the headers from the api.parse.com response headers - not sure if we need all of them. Important is to allow the "X-Parse-Application-Id" one.
Thx!
|
From the stackoverflow link, how about we use the value in the |
Unfortunately, server will verify and accept only headers explicitly listed in the 'Access-Control-Allow-Headers'. As long as custom headers (such as 'X-Parse-Application-Id') are used they must be listed in 'Access-Control-Allow-Headers' - it is CORS requirement. |
…ders-response-header Fix Access-Control-Allow-Headers to match exact headers
|
Thanks for the PR! |
workslon
deleted the
hotfix/access-control-allow-headers-response-header
branch
4 participants
Access-Control-Allow-Headers doesn't allow wildcards.
http://stackoverflow.com/a/13147554