Suggestion: Improve CORS headers settings granularity

[pvbergen]

Dear Luracast/Restler team,

I have two propositions concerning the CORS implementation in Restler RC5.

• I have encountered an unexpected behavior when using Defaults::$crossOriginResourceSharing. Both Access-Control-Allow-Credentials and Access-Control-Max-Age are set to fixed values if CORS is enabled. I understand that this behavior might be useful to for people new to CORS. Nevertheless, allowing credentials or caching preflight responses for exactly a day might not be intented by the developer and he might prefer to override the default settings.
• Secondly, it might be helpful to developers new to CORS to have a way to set additionally allowed headers (X type ones) using something array|string Defaults::$access-control-allow-headers. This allows to discourage the usage of non-prefixed custom headers too.

I know, both propositions are not of major importance, I just stumbled upon them when enabling CORS for my application and would like to hear your thoughts on them.

[Arul-]

@pvbergen thanks for your suggestions, I will look at the possibilities and get back to you