New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing all headers should be removed #23
Comments
Proposed solution: mark the constant as depreciated and do not sent it to client (it's not recognizable anyway). |
link here original idea #15 |
Allow all headers could just return all requested headers, right? |
@barryvdh It's related to Access-Control-Allow-Headers header. On |
@barryvdh BTW if you think it would be better to send all them back you can easily override it here and here. Also https://github.com/neomerx/cors-psr7#advanced-usage If you have any further questions please don't hesitate to ask. |
Currently there is a config option
Settings::VALUE_ALLOW_ALL_HEADERS
which should allow all headers pass through CORS. It works fine for internal lib logic. No problem here. The problem is that this value*
is actually sent to client inAccess-Control-Allow-Headers
and browser don't understand this value.It looks the only possible way is listing all allowed headers and special
*
should be removed.It was added mostly to make development easier. However since logging has been added to the lib this feature is not so important.
It is recommended avoid using
Settings::VALUE_ALLOW_ALL_HEADERS
and just list all allowed headers inSettings::KEY_ALLOWED_HEADERS
The text was updated successfully, but these errors were encountered: