Question
Do we need to include the Access-Control-Expose-Headers
to expose the Access-Control-Allow-Origin
header to be visible to java script clients for CORs support?
Many API implementations are failing in the Product Comparator Tool at the moment, and those whose APIs are not failing have this header present.
A definitive list of all required headers would be appreciated.
Answer
All of the calls to CDR APIs include customs headers. For example, x-v
is always included as a minimum. The CORS specification indicates that calls with custom headers must be handled as pre-flighted calls rather than as simple CORS requests.
The pre-flight mode results in an initial HTTP call using the OPTIONS method that must be responded to successfully. Most modern browsers implement CORS this way. The following mozilla article has a good overview of the simple and pre-flight modes of CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS.
In essence, if you do not support the OPTIONS call then CORS will fail for PRD end points.
See:
- Knowledge base article CORS support
- Mozilla developer article: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Comments
0 comments
Please sign in to leave a comment.