Hi,
I am trying to handle preflight responses in APIM using the in-built <cors> policy
I have the <cors> policy configured as below on the inbound
<cors>
<allowed-origins>
<origin>https://demo4.myori.com</origin>
<origin>http://localhost:4200</origin>
<origin>https://localhost:44346</origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
<method>PUT</method>
<method>DELETE</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
</cors>
When a preflight request is received, only the Access-Control-Allow_Origin header is set. The Access-Control-Allow-Methods and Access-Control-Allow-Headers are not set. Is there something that needs to be done explicitly to handle this.
Additional Details:
I have defined an operation for OPTIONS with route /*, removed <base/> for backend in this operation. This is to prevent the request from getting forwarded to the backend. The backend doesnt handle OPTIONS requests, if fwded to the backend a 404 error is seen.
On the outbound for All Operations, the set-header policy to set the preflight headers are configured. However, those are not set.
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>@(context.Request.Headers.GetValueOrDefault("Origin",""))</value>
</set-header>
<set-header name="Access-Control-Allow-Headers" exists-action="override">
<value>*</value>
</set-header>
<set-header name="Access-Control-Allow-Methods" exists-action="override">
<value>*</value>
</set-header>