yada

danielcompton 2018-05-05T13:28:36.000082Z

What Access Control headers are being returned?

shooodooken 2018-05-05T14:47:30.000050Z

reading through the CORS test cases for yada here[https://github.com/juxt/yada/blob/master/test/yada/cors_test.clj], that access-control-allow-origin header is not included if your request isn't including an Origin header.. https://github.com/juxt/yada/blob/master/test/yada/cors_test.clj#L11

shooodooken 2018-05-05T14:49:24.000046Z

also not quite sure about interaction with schema(which my prev comment used as basis) but those tests use str and array as values for :allow-origin so your original definition should be ok

shooodooken 2018-05-05T18:08:41.000034Z

as bradford is not around, i ran curl against that endpoint and turns out it's live!

curl -k -I -H "Origin: <http://smolder.com>" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS <https://backend.smoldercdn.com/clients/76361d62-daf3-49cc-b653-a6cc61d30e9b/users/e534e5b9-991b-4bcc-b195-0b4a86498a7c/emailcampaigns/?_=1525462328888>
including the Origin returned the desired header.. headers:
HTTP/2 200
date: Sat, 05 May 2018 18:07:46 GMT
content-length: 0
access-control-expose-headers: X-Custom
access-control-allow-headers: authorization, accept, accept-language, connection, content-type, host, if-none-match, origin, referer, user-agent
access-control-allow-origin: <http://smolder.com>
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000; includeSubdomains
allow: GET, HEAD, POST, OPTIONS
access-control-allow-credentials: true
x-xss-protection: 1; mode=block
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
server: Aleph/0.4.4