Issue with Access-control-allow-headers set to * (specifically on firefox)

I am using a CORS setting as below in Assign-Message policy on the response pre-flow of an api proxy.

<Header name="Access-Control-Allow-Headers">*</Header>

Firefox complains with the below error (although its set to *).

Reason: missing token ‘cache-control’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel

The same settings work with Chrome and Edge.

When I explicitly set all the header names as below, the request goes through in firefox

<Header name="Access-Control-Allow-Headers">Content-Type, x-api-key, x-api-version, Accept, Cache-Control, pragma, Authorization</Header>

Has anyone faced such an issue? Is setting the headers explicitly a best practice or setting it to * is still ok?

[P.S - I know, this is not really an Apigee problem. I just wanted to know from the folks here if they faced this issue and what's the best way to fix it]

0 2 571
2 REPLIES 2

A quick google search shows that support for wildcards in the Access-Control-Allow-Headers header was added to the "living standard" in 2016. Not all browsers have supported that change. [link]

The way to work around this is to either upgrade the browser, or use a non-wildcard value for Access-Control-Allow-Headers.

Thanks for the prompt response @Dino-at-Google. I do have the latest version of firefox(68.0.2), seems like its still not supported on it.

I liked the idea of echoing back the Access-Control-Request-Headers in the Access-Control-Allow-Headers on the response.