CORS for Google Cloud Endpoints: Options, Pros, and Cons
Google Cloud Endpoints makes CORS feel simpler than it really is. That’s both the nice part and the dangerous part. If you’re running Endpoints with ESP or ESPv2, you’ve got a few ways to handle CORS: let Endpoints proxy and pass CORS through from your backend make Endpoints handle CORS preflight for you split responsibility between proxy and backend All three work. Not all three age well. I’ve seen teams “fix CORS” by slapping Access-Control-Allow-Origin: * onto everything, then later wonder why authenticated browser requests still fail. CORS is one of those areas where the browser is very literal, and Google Cloud Endpoints doesn’t save you from bad policy choices. ...