Azure-Functions
Azure-Functions copied to clipboard
Azure
Access-Control-Max-Age being removed
Issue Setting custom headers on my azure functions, all appear except from Access-Control-Max-Age, which i want to set to reduce the number of options requests being made as I'm using fetch across origins.
{
'Access-Control-Allow-Origin': 'https://www.fittr.pro',
'Access-Control-Allow-Methods': 'GET, POST, PUT, OPTIONS, DELETE',
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
'Access-Control-Max-Age': '7200',
'Vary': 'Origin, Accept-Encoding',
// https://helmetjs.github.io/docs/dont-sniff-mimetype/
'X-Content-Type-Options': 'nosniff',
// https://helmetjs.github.io/docs/hsts
// Max Age be at least 18 weeks to be approved by Google
// Sub domains must be enabled to be approved by Google
'Strict-Transport-Security': 'max-age=10886400; includeSubDomains; preload',
// https://helmetjs.github.io/docs/referrer-policy
'Referrer-Policy': 'same-origin',
// https://helmetjs.github.io/docs/dns-prefetch-control/
'X-DNS-Prefetch-Control': 'off',
'Content-Security-Policy': constructContentSecurityPolicyHeader(),
// https://helmetjs.github.io/docs/xss-filter/
'X-XSS-Protection': '1; mode=block',
'Content-Type': 'application/json; charset=utf-8',
// https://scotthelme.co.uk/a-new-security-header-feature-policy/
'Feature-Policy': 'accelerometer \'none\'; camera \'none\'; geolocation \'none\'; gyroscope \'none\';'
+ ' magnetometer \'none\'; microphone \'none\'; payment \'none\'; usb \'none\'',
}
And here is the response headers I'm seeing (copied from Chrome)
access-control-allow-credentials: true
access-control-allow-origin: https://www.fittr.pro
content-encoding: gzip
content-length: 123
content-security-policy: default-src 'self';...
content-type: application/json; charset=utf-8
date: Thu, 18 Jul 2019 17:56:40 GMT
feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
referrer-policy: same-origin
status: 200
strict-transport-security: max-age=10886400; includeSubDomains; preload
vary: Origin, Accept-Encoding,Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-xss-protection: 1; mode=block
As you can see the access-control-max-age header isn't being returned. The access-control-allow-credentials is being set by the CORS setting in the azure portal.
It appears that something between my code and the response is stripping out some access-control headers.
Tech
- Azure Functions V2
- Language: JavaScript
Expected Can set the Access-Control-Max-Age header
Thank you in advance :)
Was this issue solved for you @jordanfinners ?
No the max age header still gets removed.
This is still a problem. The headers seem be set, however, if you remove all CORS origins from the portal. It seems like the options are to handle all of the CORS headers in code or handle them all through the portal, but never a mix of the two.
Was looking for a solution for setting the 'Access-Control-Max-Age' in my function, this still doesn't seem possible when using the CORS settings from the portal, is this correct and if so, is there any timeline on when this will be available?
@Ben-Ruben I tried a fews weeks ago and it was not possible then. To avoid the excessive OPTIONS requests I disabled CORS in the portal and I now handle the OPTIONS requests and CORS headers manually in my function.
It is a bit crazy that it is not possible to control the 'access-control-max-age' header. It is the only thing missing from the CORS feature to make it useful in production.
@cr3wdayt5p Yes, I'm trying that now as well and that route seems to work. However not sure whether I cover all that's needed for a proper CORS implementation now. Therefore I rather rely on the features provided (through the portal), but these are incomplete.