skimdz86 opened a new issue, #9307: URL: https://github.com/apache/apisix/issues/9307
### Description When using the CORS plugin, I'd like to be able to set also the Timing-Allow-Origin header (https://www.w3.org/TR/resource-timing/#sec-timing-allow-origin). The plugin configuration for this header should be separate from the one dedicated to the Access-Control-Allow-Origin header (so I should be able to set 2 different allowed values for these headers). I'm not completely sure about the need of this separation in the real world, but a possible use case could be: - I set Access-Control-Allow-Origin: * - I restrict the domains that can see the timings setting Timing-Allow-Origin: https://my-specific-domain.com The plugin configuration should have 2 fields to configure the Timing-Allow-Origin header, similarly to Access-Control-Allow-Origin: a field for accepting a single value "timing_allow_origin", and a field "timing_allow_origin_by_regex" to match different possible origins. I think that the new header should be set in response by the plugin only if the user choose to configure it in the CORS plugin configuration, also given the fact that setting the value * (wildcard) may be considered insecure (see discussion https://github.com/w3c/resource-timing/issues/222) and so we can not set it as default. If you agree on the issue, I would like to try implementing this feature -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
