CORS not restricting domains
aleemb opened this issue · comments
aleemb commented
Expected behaviour:
Run the example-projects/web-api-custom-cors and test the following request:
curl 'https://xxxxxxx.execute-api.eu-west-1.amazonaws.com/latest/echo' -H 'Origin: https://www.foo.bar' -vvvv
Should not return following header since Origin
is not claudiajs.com
:
Access-Control-Allow-Origin: *
What actually happens:
Returns header:
Access-Control-Allow-Origin: *
Gojko Adzic commented
you forgot -X OPTIONS for preflight requests in Curl. Browsers use that to determine CORS