The code doesn't quite work as you expect. If there is no origin header at all, the input filter gets an empty array, not a null, so it does the wrong thing.
On Sat, Nov 12, 2011 at 2:35 AM, K Fung <[email protected]> wrote: > Hello, > > Are there any plans to expand this code so that covers both 5.1 and 5.2 of > the CORS specification (http://www.w3.org/TR/cors?) In particular, > > - Not blocking the request of it's an OPTIONS request but doesn't contain > the Origin header > - What if the request doesn't contain OPTIONS but does contain the Origin > header (section 5.1 of the spec) > - Adding support for Access-Control-Allow-Credentials (section 5.2 of the > spec, step 7) > - Adding support for Access-Control-Max-Age (section 5.2 of the spec, step > 8) > > Cheers, > kl
