Cross-Origin Resource Sharing (CORS) #331
Comments
It hasn't even been discussed from what I can tell or remember. History 💤
My guess would be that CORS is flat out required for a lot of things on the internet today. Building on top of that, more people have experience configuring CORS and more providers have configuration APIs/configs/etc. e.g. AWS has supported CORS for years and provides a way to set values, but makes it a pain to enable hsts(and apparently has only recently started supporting it). This library set out as a way to apply headers that were optional and often overlooked. 📖 💤 😴 Present ⌚️I haven't used Future 🚀I could see this living in |
|
Hey @oreoshake thanks for the ping. rack-cors actually has a fundamental problem that I wrote about almost a year ago: cyu/rack-cors#126 One thing to look out for is libraries that reflect an origin header when you specify an Access-Control-Allow-Origin policy of *. * should be *. |
|
I'm going to take the possibly unpopular opinion and saying that CORS is too application specific to be handled by this library given the alternatives. I welcome all opinions counter to this proposal but stale issue should be closed. |
|
That's fair @oreoshake |
This is more of a question than a feature request, is there a historical reason the Cross-Origin Resource Sharing (CORS) headers aren't included in the list of headers configured by secureheaders? Has it just not been implemented yet? Do you all recommend using rack-cors as a complement to secureheaders instead of including this feature directly? Just curious 😄
The text was updated successfully, but these errors were encountered: