Add Access-Control-Request-Method to the list of forwarded headers - CORS problem

[Nyholm]

I (with help from @t-richard) found this small thing that could be a massive improvement.

I am running a API and want to allow request from my React app. I obviously get issues with CORS but no matter how much I try I failed to solve it...

It turned out to be that Chrome is doing a "preflight" to check CORS headers with an OPTION request. The NelmioCorsBundle is checking for the Access-Control-Request-Method. If that header does not exist, the preflight will fail.

I am not sure if this is needed for CORS or if it is needed for CORS with NelmioCorsBundle. I thought I would share it here and hopefully it will help other developers in the same situation.

---

The workaround would be to configure forward headers yourself like:

constructs:
    website:
        type: server-side-website
        # ...
        forwardedHeaders:
            - Accept
            - Accept-Language
            - Authorization
            - Content-Type
            - Origin
            - Referer
            - User-Agent
            - X-Forwarded-Host
            - X-Requested-With
            - Access-Control-Request-Method

[t-richard]

Thanks for opening this PR.

This is a pain and there is no correct way to handle this. For correct CORS handling, we would probably need to also add access-control-request-headers to the list but we would go above the 10 headers limit.

There has been a discussion about possibly increasing the limlit via the AWS support but it never worked on my side :frowning_face: https://github.com/getlift/lift/issues/136

I really wish AWS Cloudfront would be more flexible here...

In the current situation, I'm not sure if this PR helps because we can't add access-control-request-headers

[Nyholm]

It did help me. I also managed to squeeze in an extra header that I didn’t show in my workaround example.