Open
Description
Dear Luracast/Restler team,
I have two propositions concerning the CORS implementation in Restler RC5.
- I have encountered an unexpected behavior when using Defaults::$crossOriginResourceSharing. Both Access-Control-Allow-Credentials and Access-Control-Max-Age are set to fixed values if CORS is enabled. I understand that this behavior might be useful to for people new to CORS. Nevertheless, allowing credentials or caching preflight responses for exactly a day might not be intented by the developer and he might prefer to override the default settings.
- Secondly, it might be helpful to developers new to CORS to have a way to set additionally allowed headers (X type ones) using something array|string Defaults::$access-control-allow-headers. This allows to discourage the usage of non-prefixed custom headers too.
I know, both propositions are not of major importance, I just stumbled upon them when enabling CORS for my application and would like to hear your thoughts on them.