Cross-Origin Resource Sharing (CORS) is a mechanism that allows scripts to access resources from different sources (domain, port, and protocol).

Some HTTP request methods can interfere with user data. Because of that it is necessary to obtain an "approval" before the actual request is sent. The preflight requests, which are HTTP requests with the OPTIONS method, sends the request beforehand with the supported methods and other headers.

Implementing the OPTIONS method

In order to enable CORS support, you need to create an OPTIONS method.

Use the same path as the other methods and add a Mock interceptor.

The interceptor should return status 200 and the headers:

  • Access-Control-Allow-Origin: you may use '*' (any origin) or specify the origin that has permission to access the resource.

  • Access-Control-Allow-Methods: provide a list of the methods you use, in the format <method>, <method>, …​.


  • If you do not implement the OPTIONS method:

    • interceptors configured in the all/all resource will be disregarded and will not be inherited by the fetched resource;

    • as a standard, responses to preflight requests will contain the following headers:

      key: value

      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: HEAD, DELETE, POST, GET, OPTIONS, PUT, PATCH
    • if the preflight request contains the header Access-Control-Request-Headers, the response will include its content in the key-value header Access-Control-Allow-Headers;

    • if there is no previous configuration and the Origin header is not empty, the value returned in the Access-Control-Allow-Origin header will be the same received in the Origin header.

Thanks for your feedback!

Share your suggestions with us!
Click here and then [+ Submit idea]