CORS and key header
With Darwin we're starting to test the frontend on top of the proxy configuration.
The frontend is at https://decoder-frontend.ow2.org/
and the backend tools API are at https://decoder-tool.ow2.org/
For instance https://decoder-frontend.ow2.org/pkm/
It means that we will get under the scope of CORS, eg. the webapp runs in a different domain than the backend resources.
Of course, we could have kept both endpoint under the same domain but I still think it's better to separate the frontend and the backend. If you have a different feeling about it it can be discussed of course.
Back to the issue, if you try to login to the frontend, you'll notice
/pkm/user/login happen smoothly, but when it come to subsequent
call with the
key header, the browser gets denied because of CORS, per
the pkm API header answer:
Access-Control-Allow-Headers: Origin, Content-Type, Accept
If we want this to work, from my understanding, the pkm API should
Access-Control-Allow-Headers that includes the
header field name, as :
Access-Control-Allow-Headers: Origin, Content-Type, Accept, key
@gmouchard, if it sounds consistent to you could you add the field in
Access-Control-Allow-Headers header in the response from the PKM ?