Fix ActiveStorage Overview CORS examples.

S3 CORS configuration's `ExposeHeaders` corresponds to Access-Control-Expose-Headers that indicates which **response** headers should be made available to scripts running in the browser. But current example contains **request** headers (e.g. Content-MD5). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers `AllowedHeaders` corresponds to Access-Control-Allow-Headers that indicates which **request** headers is allowed. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers Additionally, `Origin` is not required in Access-Control-Allow-Headers. User agents automatically add the Origin request header to CORS request and JS can't control it's behavior. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
2023-07-19 18:06:48 +09:00 · 2023-07-19 18:06:48 +09:00 · ea8795040e
parent 2884d00f0c
commit ea8795040e
1 changed files with 5 additions and 10 deletions
--- a/guides/source/active_storage_overview.md
+++ b/guides/source/active_storage_overview.md
@ -1027,7 +1027,6 @@ Take care to allow:
 * All origins from which your app is accessed
 * The `PUT` request method
 * The following headers:
-  * `Origin`
  * `Content-Type`
  * `Content-MD5`
  * `Content-Disposition` (except for Azure Storage)
@ -1043,7 +1042,9 @@ No CORS configuration is required for the Disk service since it shares your app
 [
  {
    "AllowedHeaders": [
-      "*"
+      "Content-Type",
+      "Content-MD5",
+      "Content-Disposition"
    ],
    "AllowedMethods": [
      "PUT"
@ -1051,12 +1052,6 @@ No CORS configuration is required for the Disk service since it shares your app
    "AllowedOrigins": [
      "https://www.example.com"
    ],
-    "ExposeHeaders": [
-      "Origin",
-      "Content-Type",
-      "Content-MD5",
-      "Content-Disposition"
-    ],
    "MaxAgeSeconds": 3600
  }
 ]
@ -1069,7 +1064,7 @@ No CORS configuration is required for the Disk service since it shares your app
  {
    "origin": ["https://www.example.com"],
    "method": ["PUT"],
-    "responseHeader": ["Origin", "Content-Type", "Content-MD5", "Content-Disposition"],
+    "responseHeader": ["Content-Type", "Content-MD5", "Content-Disposition"],
    "maxAgeSeconds": 3600
  }
 ]
@ -1082,7 +1077,7 @@ No CORS configuration is required for the Disk service since it shares your app
  <CorsRule>
    <AllowedOrigins>https://www.example.com</AllowedOrigins>
    <AllowedMethods>PUT</AllowedMethods>
-    <AllowedHeaders>Origin, Content-Type, Content-MD5, x-ms-blob-content-disposition, x-ms-blob-type</AllowedHeaders>
+    <AllowedHeaders>Content-Type, Content-MD5, x-ms-blob-content-disposition, x-ms-blob-type</AllowedHeaders>
    <MaxAgeInSeconds>3600</MaxAgeInSeconds>
  </CorsRule>
 </Cors>