CORS headers are not returned in redirect responses

[dweber019]

If a browser is requesting a product with a redirect, because it has been renamed, a CORS error is thrown.

See dweber019/backstage-plugins#3

Calling https://endoflife.date/api/springboot.json behaves differently than calling https://endoflife.date/api/spring-boot.json CORS wise.

[welcome]

Thank you for opening your first issue here 👍. Be sure to follow the issue template if you chose one.

[marcwrobel]

Hi @dweber019, thanks for raising this issue.

Just quickly went through https://developer.mozilla.org/en-US/docs/Web/http/CORS#simple_requests and maybe this is because the request Content-Type is application/json ?

[marcwrobel]

Reproduce using a local html file containing:

<html>
<body>
<script>
const fetchPromise = fetch("https://endoflife.date/api/springboot.json");

fetchPromise
  .then((response) => response.json())
  .then((data) => {
    console.log(data);
  });
</script>
</body>
</html>

[marcwrobel]

Looks like our default set of headers is not returned by Netlify.

It is defined here:

endoflife.date/_headers

Line 35 in 4563e9d

/api*

.

But for redirects we have:

$ http -h https://endoflife.date/api/springboot.json
HTTP/1.1 301 Moved Permanently
Age: 0
Cache-Status: "Netlify Edge"; fwd=miss
Content-Type: text/plain
Date: Thu, 22 Feb 2024 21:02:38 GMT
Location: /api/spring-boot.json
Netlify-Vary: query
Server: Netlify
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
X-Nf-Request-Id: 01HQ9A17PEK8C03ECGGSPGBY7E

[marcwrobel]

Will read in detail https://answers.netlify.com/t/access-control-allow-origin-policy/1813/7 when I have some time to see if something can be done about this issue.

In the mean time the best solution is, as @dweber019 recommended it in dweber019/backstage-plugins#3, to use a path that will not cause a redirect.