-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Needed control over CORS Access-Control-Allow-Headers
and Access-Control-Expose-Headers
#3551
Comments
For PostgREST to return curl -X OPTIONS "http://localhost:3000/todos" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: X-App-Id" \
-H "Origin: http://www.example.com" -i
AFAIK the browser adds |
As mentioned, @laurenceisla Is there a way to control |
Not for now. The expose-headers are hard-coded here: postgrest/src/PostgREST/Cors.hs Lines 36 to 38 in b261abd
I'll update the title of this issue to include this header. |
Access-Control-Allow-Headers
and Access-Control-Expose-Headers
Environment
Description of issue
I am trying to add a custom header (x-app-id) to postgrest requests. My intention is to use the value of this header in RLS policies.
I noticed PostGREST has no way to add this header to the list of allowed headers: Access-Control-Allow-Headers
Would you consider supporting controlling the allowed headers via a configuration parameter similar to server-cors-allowed-origins ?
It would be something like:
server-cors-allowed-headers="Authorization, Content-Type, Accept, Accept-Language, Content-Language, X-App"
or to just configure the extra headers:
server-cors-allowed-headers="X-App"
Thank you,
Ra
The text was updated successfully, but these errors were encountered: