CORS requirement too strict?
The checker requires presence of header Access-Control-Allow-Origin: *
, but that is not the only way to be CORS compliant.
CORS headers come from the context of browsers, and browser include an origin header when doing CORS. In response to such request with a particular origin, the server only needs to respond with Access-Control-Allow-Origin: that-original-origin
. It shouldn't actually need to respond with a *
on every request, just to CORS requests that have the origin included
This is what Javalin does: https://github.com/tipsy/javalin/issues/854
It appears to me that the checker could be relaxed, by adding an origin header to requests, and checking for response to either contain * or that chosen origin.