Cross-Origin Request Warning: The Same Origin Policy will disallow reading the remote resource at http://localhost:8043/api/v1/org soon. (Reason: When the `Access-Control-Allow-Headers` is `*`, the `Authorization` header is not covered. To include the `Authorization` header, it must be explicitly listed in CORS header `Access-Control-Allow-Headers`).

[mdaneri]

Firefox is complaining that Authorization header, is not explicitly listed in CORS header Access-Control-Allow-Headers

This is my securityAccessControl Set-PodeSecurityAccessControl -Origin '*' -Methods @('GET', 'POST', 'PATCH', 'DELETE','OPTIONS') -Headers '*' -Duration 7200 -Credentials -WithOptions

we need a new option to add Access-Control-Allow-Headers to the headers or a switch

[Badgerati]

From what I can tell reading here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers, it's because of -Credentials. When the Access-Control-Allow-Credential header is true, the "*" in Access-Control-Allow-Headers is taken literally rather than as a wildcard, which means allowed headers will have to be explicitly listed.

A check for when -Credentials is passed and -Headers is "*" and fail would be good. And maybe auto-add Authorization to Headers as well for Credentials 🤔 but other headers will have to be listed in -Headers properly.

[mdaneri]

I fixed the issue with my code. Firefox is happy with that

# headers
   if (![string]::IsNullOrWhiteSpace($Headers)) {
       if ($Headers -icontains '*') {
           if ( $AuthorizationHeader){
               Add-PodeSecurityHeader -Name 'Access-Control-Allow-Headers' -Value '*,Authorization'
           }else{
               Add-PodeSecurityHeader -Name 'Access-Control-Allow-Headers' -Value '*'
           }
       }
       else {
           Add-PodeSecurityHeader -Name 'Access-Control-Allow-Headers' -Value ($Headers -join ', ').ToUpperInvariant()
       }
   }