CORS is implemented in such a way that it does not break assumptions made in the pre-CORS, same-origin-only world. In the pre-CORS world, a client could trigger a cross-origin request (for example, via a script tag), but it could not read the response headers. In order to ensure that CORS doesn’t break this assumption, the … Read more
The quickest way to do this is to filter on -method:OPTIONS. Explanation: all pre-flight requests are via the HTTP OPTIONS method (opposed to POST or GET). This filter says “not method OPTIONS”. Note the leading hyphen because if you forget it, you’ll only show pre-flight requests.
Consider the case in which a service worker acts as an agnostic cache. Your only goal is serve the same resources that you would get from the network, but faster. Of course you can’t ensure all the resources will be part of your origin (consider libraries served from CDNs, for instance). As the service worker … Read more
The CORS spec is all-or-nothing. It only supports *, null or the exact protocol + domain + port: http://www.w3.org/TR/cors/#access-control-allow-origin-response-header Your server will need to validate the origin header using the regex, and then you can echo the origin value in the Access-Control-Allow-Origin response header.