Issue with Access-control-allow-headers set to * (specifically on firefox)

anonymous · August 30, 2019, 5:49pm

I am using a CORS setting as below in Assign-Message policy on the response pre-flow of an api proxy.

*

Firefox complains with the below error (although its set to *).

Reason: missing token ‘cache-control’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel

The same settings work with Chrome and Edge.

When I explicitly set all the header names as below, the request goes through in firefox

Content-Type, x-api-key, x-api-version, Accept, Cache-Control, pragma, Authorization

Has anyone faced such an issue? Is setting the headers explicitly a best practice or setting it to * is still ok?

[P.S - I know, this is not really an Apigee problem. I just wanted to know from the folks here if they faced this issue and what’s the best way to fix it]

dchiesa1 · August 30, 2019, 6:59pm

A quick google search shows that support for wildcards in the Access-Control-Allow-Headers header was added to the “living standard” in 2016. Not all browsers have supported that change. [link]

The way to work around this is to either upgrade the browser, or use a non-wildcard value for Access-Control-Allow-Headers.

anonymous · August 30, 2019, 7:39pm

Thanks for the prompt response @Dino-at-Google. I do have the latest version of firefox(68.0.2), seems like its still not supported on it.

I liked the idea of echoing back the Access-Control-Request-Headers in the Access-Control-Allow-Headers on the response.

Topic		Replies	Views
CORS Preflight and Passing CORS header in response Apigee api-runtime	6	35	April 13, 2016
CORS Error : header contains multiple values ', ', but only one is allowed Apigee api-runtime	11	370	November 27, 2020
CORS error on Delete method Apigee api-runtime	20	32	July 9, 2015

Issue with Access-control-allow-headers set to * (specifically on firefox)

AI Suggested topics