CORS - allowing content-type on headers
g-belmonte opened this issue ยท 6 comments
Greetings!
I've been dealing with an application that has different servers for the frontend and its API. Resgate is the entrypoint for the API, and I was trying to do some REST requests from the frontend, but having trouble when setting the header "Content-Type: application/json", because resgate's answer didn't have the header "Access-Control-Allow-Headers: content-type".
I added it to the code, and things started to work perfectly for me.
If you think this change might bring value to the project, here's the PR: #173
I was solving this issue with @raphaelpereira, and I saw we both opened a PR for that.
(the other PR is #172)
Please, fell free to close one of them ๐
Hi @g-belmonte and @raphaelpereira
Sorry for the slow response. Week has been mightily busy.
Great that you guys made it work! (and made me aware of the issue ๐ )
#172 (and #173) covers the most common case with Content-Type, but better to cover it completely.
Since request headers will have no side-effects with Resgate, and attempts to forge headers such as X-Forwarded-Host
can easily be countered at the reverse proxy if some RES-service for some weird reason should depend on it. So.. yeah, I think it is safe to allow any headers.
But, with those changes, I actually made my own branch where the Access-Control-Request-Headers
value is mirrored to the Access-Control-Allowed-Headers
(I am not sure how well the browsers supports the *
-wildcard, so mirroring is more safe).
https://github.com/resgateio/resgate/tree/feature/gh-171-cors-access-control-allow-headers
If you have the time, please try it out to see if it solves your issue.
No worries, @jirenius! Actually, thanks for spending time taking a look at this issue. Time is a scarce resource ๐
Well, my fix worked until I had to do a request with authorization. Then I had to add Access-Control-Allow-Headers: authorization
to the headers and I started to think "what other headers am I missing?"... so, I do think that mirroring the Access-Control-Request-Headers
would be an easy way forward!
I'll go test your branch, and I'll be back soon with the results ๐
And yes, your branch is working perfectly ๐ ๐
Great! Thanks for the help.
I'll have the branch merged to develop, and then release a patch version of Resgate instead of waiting for next minor release.