Setting `access-control-allow-origin` header does not work

When using http_request to serve content it occurred to me that when i try to set the access-control-allow-origin through the headers it can’t be changed and always default to *.

i tried changing;

  • changing order
  • upper- / lowercase
  • changing the value

Other headers are set as expected;

let headers = vec![
    HeaderField("content-type".to_string(), "image/png".to_string()),
    HeaderField("accept-ranges".to_string(), "bytes".to_string()),
    HeaderField("content-length".to_string(), size.to_string()),
    HeaderField("david".to_string(), "does_it_work".to_string()),
    HeaderField("access-control-allow-origin".to_string(), format!("https://{}", id().to_string())),

What can cause this? and how can i fix it? :slight_smile:

It looks like you’re using the raw endpoints.

There is explicit config in nginx to force those access control headers, see:

We’re discussing if it makes sense to have these set for raw.
On one hand it doesn’t necessarily make sense for that header to be there for raw on the other hand, if we remove it there’s a good chance it will break canisters that rely on those headers being there…

1 Like

Thanks for the quick response, and yes i’m. using raw endpoints for this.

Wouldn’t it be possible to set them by default but let them be overridden, so exisiting canister won’t break?