JanLi-air opened a new issue #1915: URL: https://github.com/apache/incubator-apisix/issues/1915
### Issue description the cors headers can be overridden by upstreams if it's put at rewrite phase. ### Environment * apisix version (cmd: `apisix version`): 1.4 * OS: Linux ### Minimal test code / Steps to reproduce the issue 1. Create a backend which override the cors headers, such as Access-Control-Allow-Origin 2. Configure cors plugin to proxy to the upstream setup in step 1 3. Request the uri configured ### What's the actual result? (including assertion message & call stack if applicable) the cors header will be determined by the upstream ### What's the expected result? the cors header should be determined by the cors plugin. This is related to antoher issue: https://github.com/apache/incubator-apisix/issues/1528 I don't think it's good practice to change the phase of cors plugin to make sure it works with the auth plugins. The cors plugin worked in header_filter phase since it needs to rewrite those headers after apisix gets response from upstream. If we change it to be at the rewrite phase, it's possible the header got overridden by upstream or the header is discarded somewhere. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org