Micronaut sends multiple headers like this:
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Headers: authorization
This confuses IE, it sees only the first header. This leads to a request error like "Request header authorization was not present in the Access-Control-Allow-Headers list.".
If the headers are merged, IE understands it:
Access-Control-Allow-Headers: content-type, authorization
I solved this by replacing the CorsFilter bean as follows (using Kotlin):
@Replaces(CorsFilter::class)
class OurCorsFilter(corsConfiguration: HttpServerConfiguration.CorsConfiguration) : CorsFilter(corsConfiguration) {
override fun setAllowHeaders(optionalAllowHeaders: List<*>, response: MutableHttpResponse<*>) {
response.header(ACCESS_CONTROL_ALLOW_HEADERS, optionalAllowHeaders.joinToString())
}
}
However, this feels like overkill to me, and besides it might be better to have this fixed somewhere else altogether. Is there not some other way around this, using config preferably?
Looks like this is an issue even on Edge https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/12046299/. Please file an issue and we will probably make a configuration option to allow for this