cors
cors copied to clipboard
Add Access-Control-Allow-Origin before aborting
I plan on sending a PR at some point, just opening this for reference or if someone else wants to grab it.
I think here if we respond with Access-Control-Allow-Origin
first it'll lead to nicer browser errors, and require fewer trips to enabling debugging with this middleware to discover what went wrong.
Currently this kind of masks issues with the other fields, so the browser basically just says you don't have access at all. Let me know if that sounds reasonable!
Re-reading the spec, I'm not sure we should stop the processing of the preflight request until there is a parsing error. I might revisit this.
When the browser uses <img crossOrigin=Anonymous>
there is no pre-flight and this line here halts the execution before isOriginAllowed
realizes the desired *
origins.
Should I open a separate issue or are we talking about the same thing?
Yes, I think it's a different issue.
@tj For what it's worth, I mentioned this issue in my latest my blog post.
Related: https://github.com/whatwg/fetch/issues/1588