Access-Control-Max-Age without value
Closed this issue · 2 comments
Bug Report
| Q | A |
|---|---|
| Version(s) | 1.0.1 |
Summary
Access-Control-Max-Age Currently returns an empty value if not set via the configuration. This does not adhere to the specification in which it should be either a deltatime (vumeric value) or be omitted.
Current behavior
If the Access-Control-Max-Age is not set, the preflight response still contains the Header but does not include a value.
How to reproduce
Omit the Access-Control-Max-Age Configuration entry for the global config and (if existing) the route specifig config. The OPTIONS Request will still contain the header but with no value.
Expected behavior
If no value is set, the header should be ommited from the response (or if easier for the implementation) contain a default value.
@cookieseller Thanks for reporting this issue. I've checked the mozilla developer documentation and decided to use -1 as the default value for the allowed_max_age configuration if not provided at all.