Apps: Add CORS options "allow_headers" and "allow_methods" to Application Specification
My API accepts a JWT within the "Authorization" header as a Bearer token. Per CORS my API should allow every origin, but also accept the "Authorization" header to authenticate client requests.
Client side I am getting the CORS error: “Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.”, while working with an Application Specification file, where I added a CORS "allow_origins" setting containing "regex: .*", thus allowing every origin.
Since "allow_headers" or "allow_methods" are not yet available in the App Specification, I can't set them and the problem resides.
To solve the problem mentioned above I'd need to set a "allow_headers" setting like so:
allow_headers:
- authorization
Additionally it'd be nice to set "allow_methods" like so:
allow_methods:
- post
- options
-
Nicklas Reincke
- Nov 4 2020
- Needs review
Related ideas
I'm having the same problem here!
Attachments Open full size
Is there any update on this? We're really keen to move a number of applications to the App Platform. Whilst this out of the box CORS protection has value, we manage CORS in our application so really need a way to more fully configure and/or disable the built in protection.
Attachments Open full size
I'm having the same problem
Attachments Open full size
Allowing us to just disable/bypass the DO CORs handlers on a per-app basis would be another option. At the moment, it's really unfortunate that we have no control over this.
Attachments Open full size
I love the app platform, but need to be able to change the headers/methods...
Attachments Open full size
This blocks me from using apps even though i really love the setup
Attachments Open full size
I have the same problem, can't believe basic things like that don't exist in the app platform yet.
Attachments Open full size
Is there any update? Auth headers are suuuuper common. I want to be able to use [and pay $$$ for] App Platform in a professional setting, but yo. I need headers support.
Attachments Open full size
I think this is the only thing stopping me from migrating some staging environments from droplets to the app platform, which I'd love to do : ).
Attachments Open full size
I'm having the same problem, unfortunently, it looks like they don't care.
Attachments Open full size
Ah please is this going to be a thing? I can't migrate to the App Platform if my app is going to be rejected for not allowing an Authorization header, which is happening on staging right now
Attachments Open full size