Hi Greg, I might be silly but I'm struggling to understand what you're asking.
The linux guys are asking for three more headers - request or response headers? Are you calling this from javascript (ajax) if so you can add request headers at that level. On 28 August 2015 at 09:32, Greg Keogh <[email protected]> wrote: > Hi folks, last week I was in a short panic because someone writing a JS > client couldn't call my REST service. There were developing on Linux > in-house but failing to call my remote office server. To get around this > they wrote a local proxy JSP app which sat between them and me, so their > scripts were tricked into making local calls. That was a terrible waste of > their billable time. > > I thought adding Access-Control-Allow-Origin: * would simply unblock > everything for everyone, but no. This CORS header worked for me, but the > Linux guys asked for 3 more headers, but even that only got us to the next > problem where they failed to add a custom request header. They told me that > it probably can't be solved on the server side, as the rules are baked into > the browsers. And apparently different browser brands have different SOP > behaviour. > > Can anyone confirm what I've said here? Is it worth running more research > in the hope I can totally unblock SOP problems? Or will I get lost in a > mess of browser implementation quirks and go mad? > > *Greg* >
