claudiajs / claudia-api-builder

Use AWS API Gateway as if it were a lightweight JavaScript web server

CORS not restricting domains

aleemb opened this issue 8 years ago · comments

aleemb commented 8 years ago

Expected behaviour:

Run the example-projects/web-api-custom-cors and test the following request:

curl 'https://xxxxxxx.execute-api.eu-west-1.amazonaws.com/latest/echo' -H 'Origin: https://www.foo.bar' -vvvv

Should not return following header since Origin is not claudiajs.com:

Access-Control-Allow-Origin: *

What actually happens:

Returns header:

Access-Control-Allow-Origin: *

Gojko Adzic commented 8 years ago

you forgot -X OPTIONS for preflight requests in Curl. Browsers use that to determine CORS