Filtered API calls delete CORS
This is a strange behaviour of the API. I'm using rack-cors to enable API consuming by other apps (Ember.js).
When using various endpoints (/issues.json, time_entries.json, projects.json) everything is ok.
With this specific call, CORS headers aren't added to the response and the browser blocks the request with the "famous" error:
No 'Access-Control-Allow-Origin' header is present on the requested resource
The call is:
/time_entries.json?user_id=<ID> or /time_entries.json?user_id=me
The only added header is:
X-Rack-CORS: preflight-hit; no-origin
If I change the param with something not recognized by redmine (e.g. ?wrong_param=me), everything works well (the response isn't filtered). So the problem seems to be related to the filtering of the time entries by user.
Maybe with this particular filtering redmine creates a different response which avoid the rack-cors action?
The correct headers, added by rack-cors, should be:
Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS, HEAD Access-Control-Max-Age: 0 Access-Control-Allow-Credentials: true X-Rack-CORS: hit