CORS "Preflight" support

[spemberton]

I was trying to POST data from a form, but it was sending a CORS preflight request first.
I could handle this case by adding
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: content-type
to the returned headers, and then at least the POST data was submitted. But then I had no control over the response to the POST.

[qustavo]

Any suggestion about how to implement this?, would you enable CORS using a flag?, if so, would you log the CORS request as well?, I'd love to hear from you so that we can build the right solution.

[spemberton]

One possibility would be to have two sets of headers that you can switch between, one for preflight, and one for normal. I don't think you need to do anything special except recognise a CORS preflight, and reply with the preflight headers. Your normal method of logging requests would handle the preflight just fine (and you can then use PageUp to see the preflight request).

Here is an example of a preflight request:

OPTIONS / HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit
Access-Control-Request-Headers: content-type
Dnt: 1
Accept-Language: en-GB,nl-NL;q=0.8,nl;q=0.6,en-US;q=0.4
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://homepages.cwi.nl
Accept: /
Referer: http://homepages.cwi.nl/~steven/forms/examples
Accept-Encoding: gzip, deflate, br

Here an example of the headers I use:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: content-type

[qustavo]

Closed by #40