We have a problem with our site, where we are using lots of 302 redirects.
Let’s for a moment assume I have the following two files:
# _headers /content/* Access-Control-Allow-Origin: *
# _redirects /content/lorem /content/ipsum 302
Then, when requesting
/content/lorem, I would expect to get back a 302 response together with the
Access-Control-Allow-Origin header. However, that is not the case.
This is actually breaking our site in a way: When doing a CORS request from a different origin to
Access-Control-Allow-Origin header missing leads to the following error:
Access to fetch at '[...]/content/lorem' from origin '[...]' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
See also this blog post to describe that behaviour.
I have seen your response in Netlify does not send custom headers in a redirect file (using https in the "to") - #19 by hrishikesh already, saying that headers are not meant to be served with redirects. However, since in this case this behaviour is breaking browser CORS rules, I would argue that at least the
Access-Control-Allow-Origin should be served in this case.