CORS and key header
Hello @gmouchard, @darwingonzalez,
With Darwin we're starting to test the frontend on top of the proxy configuration.
The frontend is at https://decoder-frontend.ow2.org/
and the backend tools API are at https://decoder-tool.ow2.org/
For instance https://decoder-frontend.ow2.org/pkm/
It means that we will get under the scope of CORS, eg. the webapp runs in a different domain than the backend resources.
Of course, we could have kept both endpoint under the same domain but I still think it's better to separate the frontend and the backend. If you have a different feeling about it it can be discussed of course.
Back to the issue, if you try to login to the frontend, you'll notice
that /pkm/user/login
happen smoothly, but when it come to subsequent
call with the key
header, the browser gets denied because of CORS, per
the pkm API header answer:
with Access-Control-Allow-Headers: Origin, Content-Type, Accept
If we want this to work, from my understanding, the pkm API should
answer with Access-Control-Allow-Headers
that includes the key
header field name, as :
Access-Control-Allow-Headers: Origin, Content-Type, Accept, key
@gmouchard, if it sounds consistent to you could you add the field in
the Access-Control-Allow-Headers
header in the response from the PKM ?
Regards,