Filtered API calls delete CORS

Added by Tommaso Visconti almost 5 years ago

This is a strange behaviour of the API. I'm using rack-cors to enable API consuming by other apps (Ember.js).

When using various endpoints (/issues.json, time_entries.json, projects.json) everything is ok.

With this specific call, CORS headers aren't added to the response and the browser blocks the request with the "famous" error: No 'Access-Control-Allow-Origin' header is present on the requested resource
The call is:

/time_entries.json?user_id=<ID>
or
/time_entries.json?user_id=me

The only added header is:

X-Rack-CORS: preflight-hit; no-origin

If I change the param with something not recognized by redmine (e.g. ?wrong_param=me), everything works well (the response isn't filtered). So the problem seems to be related to the filtering of the time entries by user.
Maybe with this particular filtering redmine creates a different response which avoid the rack-cors action?

The correct headers, added by rack-cors, should be:

Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS, HEAD
Access-Control-Max-Age: 0
Access-Control-Allow-Credentials: true
X-Rack-CORS: hit