OPTIONS response prior to performing PUT does not contain Access-Control-Allow-Origin or Access-Control-Expose-Headers headers. Rejected by Chrome.

[jamesmillerio]

I was attempting to perform a PUT operation from Angular and kept getting rejected by CORS in Chrome. I checked the GET request I did prior to the PUT and noticed it went through fine (though no OPTIONS request was done for the GET). Upon attempting a PUT, the OPTIONS request goes through and returns a 200 as you'd expect with the Allow response header, but not the Access-Control-Allow-Origin or Access-Control-Expose-Headers headers. This caused Chrome to deny the request.

I've done some digging in mora and go-restful and it looks like the CrossOriginResourceSharing Filter method isn't being called on the OPTIONS request, though I'm not sure if that's by design and the OPTIONSFilter container func should be handling this instead. The CrossOriginResourceSharing filter method does get called successfully for the GET. I haven't checked to see if it gets called for DELETE or POST yet.

Also, for completeness sake, I haven't touched the cors setting in mora.properties. It was left in its default state of true.

Thanks for the great project!

[jamesmillerio]

I submitted a pull request to go-restful for a solution I used to fix the problem. Tests have been added to account for the change also. Hopefully you'll find it satisfactory.