If the list of exposed headers is not empty add one or more Access-Control-Expose- Headers headers, with as values the header field names given in the list of exposed headers.
If the list of exposed headers is not empty add one or more Access-Control-Expose- Headers headers, with as values the header field names given in the list of exposed headers.
By not adding the appropriate headers resource can also clear the preflight result cache of all entries where origin is a case-sensitive match for the value of the Origin header and url is a case-sensitive match for the URL of the resource.
Fully handle preflight requests.
Fully handle preflight requests. If a preflight request is deemed to be unacceptable, a 200 OK response is served without CORS headers.
Adds CORS response headers onto all non-preflight requests that have the 'Origin' header set to a value that is allowed by the Policy.
Let header field-names be the values as result of parsing the Access-Control-Request-Headers headers.
Let header field-names be the values as result of parsing the Access-Control-Request-Headers headers. If there are no Access-Control-Request-Headers headers let header field-names be the empty list.
Let method be the value as result of parsing the Access-Control-Request-Method header.
Let method be the value as result of parsing the Access-Control-Request-Method header.
http://www.w3.org/TR/cors/#resource-preflight-requests
http://www.w3.org/TR/cors/#resource-preflight-requests
http://www.w3.org/TR/cors/#resource-requests
http://www.w3.org/TR/cors/#resource-requests
If each of the header field-names is a simple header and none is Content-Type, than this step may be skipped.
If each of the header field-names is a simple header and none is Content-Type, than this step may be skipped.
Add one or more Access-Control-Allow-Headers headers consisting of (a subset of) the list of headers.
Optionally add a single Access-Control-Max-Age header with as value the amount of seconds the user agent is allowed to cache the result of the request.
Optionally add a single Access-Control-Max-Age header with as value the amount of seconds the user agent is allowed to cache the result of the request.
If method is a simple method this step may be skipped.
If method is a simple method this step may be skipped.
Add one or more Access-Control-Allow-Methods headers consisting of (a subset of) the list of methods.
If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.
n.b. The string "*" cannot be used for a resource that supports credentials.
Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow.
Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across- origins.
An HTTP filter that handles preflight (OPTIONS) requests and sets CORS response headers as described in the W3C CORS spec.