I am using a CORS setting as below in Assign-Message policy on the response pre-flow of an api proxy.
<Header name="Access-Control-Allow-Headers">*</Header>
Firefox complains with the below error (although its set to *).
Reason: missing token ‘cache-control’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
The same settings work with Chrome and Edge.
When I explicitly set all the header names as below, the request goes through in firefox
<Header name="Access-Control-Allow-Headers">Content-Type, x-api-key, x-api-version, Accept, Cache-Control, pragma, Authorization</Header>
Has anyone faced such an issue? Is setting the headers explicitly a best practice or setting it to * is still ok?
[P.S - I know, this is not really an Apigee problem. I just wanted to know from the folks here if they faced this issue and what's the best way to fix it]
A quick google search shows that support for wildcards in the Access-Control-Allow-Headers header was added to the "living standard" in 2016. Not all browsers have supported that change. [link]
The way to work around this is to either upgrade the browser, or use a non-wildcard value for Access-Control-Allow-Headers.
Thanks for the prompt response @Dino-at-Google. I do have the latest version of firefox(68.0.2), seems like its still not supported on it.
I liked the idea of echoing back the Access-Control-Request-Headers in the Access-Control-Allow-Headers on the response.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |