Add Access-Control-Allow-Origin before aborting

[tj]

I plan on sending a PR at some point, just opening this for reference or if someone else wants to grab it.

I think here if we respond with Access-Control-Allow-Origin first it'll lead to nicer browser errors, and require fewer trips to enabling debugging with this middleware to discover what went wrong.

Currently this kind of masks issues with the other fields, so the browser basically just says you don't have access at all. Let me know if that sounds reasonable!

[rs]

Re-reading the spec, I'm not sure we should stop the processing of the preflight request until there is a parsing error. I might revisit this.

[bithavoc]

When the browser uses <img crossOrigin=Anonymous> there is no pre-flight and this line here halts the execution before isOriginAllowed realizes the desired * origins.

Should I open a separate issue or are we talking about the same thing?

[rs]

Yes, I think it's a different issue.

[jub0bs]

@tj For what it's worth, I mentioned this issue in my latest my blog post.

[jub0bs]

Related: whatwg/fetch#1588

[jub0bs]

FWIW, I've implemented some debug mode in jub0bs/cors that changes the way the middleware composes responses to preflight requests, and which can be toggled on the fly. Perhaps something to consider for rs/cors.