Origin validation on OPTIONS

[slashmili]

Do you think if it's necessary to do check the request's origin against the configuration on OPTIONS request?

[CrowdHailer]

Doesn't the line below the one you linked to recall the headers function but with method set to nil so that it goes on to check the requests origin here.

cors_plug/lib/cors_plug.ex

Line 54 in 5dfdbb7

headers(%{conn | method: nil}, options) ++

then

cors_plug/lib/cors_plug.ex

Line 64 in 5dfdbb7

allowed_origin = origin(options[:origin], conn)

[slashmili]

What I mean is in here

cors_plug/lib/cors_plug.ex

Lines 56 to 63 in 1ca97ed

	defp headers(conn = %Plug.Conn{method: "OPTIONS"}, options) do
	headers(%{conn | method: nil}, options) ++
	[
	{"access-control-max-age", "#{options[:max_age]}"},
	{"access-control-allow-headers", allowed_headers(options[:headers], conn)},
	{"access-control-allow-methods", options[:methods]}
	]
	end

we always set access-control-* headers regardless of the origin is set in configuration or not

[CrowdHailer]

Ahh yes I see. Same check as is found here

cors_plug/lib/cors_plug.ex

Line 74 in 1ca97ed

defp cors_headers(nil, _options) do

Could you add a test case that fails because of how it is currently set up. Then we can work out the best way to fix it