[keycloak-user] CORS only for OPTIONS?

Bill Burke bburke at redhat.com
Thu Apr 3 09:25:35 EDT 2014



On 4/3/2014 2:37 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 04/02/2014 09:30 PM, Bill Burke wrote:
>> Which headers are we not sending back?
>
> The Access-Control-* headers for non-preflight requests (ie: a POST).
> Without an additional filter at the application side that adds CORS
> headers to the non-OPTIONS requests, the browsers would prevent the
> webapp from reading the response.
>
> I guess the question then is: why are the authenticated, non-preflight
> requests, not handled? I might be wrong, but I think that KC already
> has all the information it needs to handle such requests, no?
>

Authenticated, non-preflight requests are handled.  Non-authenticated 
requests are not handled.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list