understand and fix the CORS config
Original bug (Patrick 07/04/2017):
- http://gatb-core.gforge.inria.fr/gatb-compiler/gatb-compiler.html?snippet=bank1
- click Compile & Run
The HTTP response contains duplicated CORS headers:
Access-Control-Allow-Origin: http://gatb-core.gforge.inria.fr
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Expose-Headers:
Access-Control-Max-Age: 0
Access-Control-Allow-Credentials: true
Vary: Origin
X-Rack-CORS: hit
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
The first group is set by rails (rack-cors gem in config/application.rb) and the second group is set by nginx (deploy/nginxconf).
--> to be audited and cleaned