Handle Access-Control-Allowed-Headers in CORS preflight

[jakedt]

The CORS implementation added by the fix/preflight branch is incomplete. You must also respond to the headers requests. My client (graphiql on chrome) is trying to use a content-type header, and is therefore being rejected.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Headers

Also, kind of surprising that CORS is enabled by default. You may want to put a warning somewhere in the readme!

[jakedt]

Just found the build-in graphiql support, doesn't change the issue but is a great workaround in the meantime. Thanks!

[grazor]

Hi @jakedt !

Thanks for report, I'll look into it soon.

I guess you are right about enabling CORS by default, I'll add an option for it.

[ahopkins]

I got tripped up by this too. Is anyone doing something on this? If not, I might add a PR.

[dpnova]

CORS(app, automatic_options=True) - I did this to get things working. Doesn't fix the real issue here, but at least is a work around.