This is mostly a note to myself because for some reason when testing
CORS headers I nearly
always manage to forget to include the Origin
header.
For completeness here’s an example using curl:
curl -v --request OPTIONS 'localhost:8080' --header 'Origin: http://example.com'
Here’s an example of doing an OPTIONS
request to test authorization against AWS S3:
curl --head --request OPTIONS \
--header 'origin: https://www.example.com' \
--header 'Access-Control-Request-Method: GET' \
https://s3.amazonaws.com/example/path/to/object/my-image.jpg
NOTE: Probably more to the story but CORS seems very expensive! In my completely non-scientific tests CORS added 3x cost to the speed of the request.