fix: CORS wildcard Allow-Headers for Firefox compatibility (closes #158)

jpr5 · jpr5 · commit 1e95ef5235f4 · 2026-05-06T09:08:22.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 
 ### Fixed
 
+- **CORS: Firefox preflight blocked by restricted `Allow-Headers`** — Changed `Access-Control-Allow-Headers` from `Content-Type, Authorization` to wildcard `*`, fixing Firefox's strict CORS enforcement when the OpenAI SDK sends `User-Agent` in the preflight. (Issue #158)
 - **GitHub Action: cosmetic binary rename** — `action.yml` fixtures branch referenced the legacy `llmock` binary (still functional); updated to `aimock` for consistency
 - **GitHub Action: hardcoded URLs in docs examples** — All workflow examples now use `steps.<id>.outputs.url` instead of hardcoded `http://127.0.0.1:4010`
 
diff --git a/src/__tests__/server.test.ts b/src/__tests__/server.test.ts
@@ -607,6 +607,7 @@ describe("CORS", () => {
     expect(res.status).toBe(204);
     expect(res.headers["access-control-allow-origin"]).toBe("*");
     expect(res.headers["access-control-allow-methods"]).toContain("POST");
+    expect(res.headers["access-control-allow-headers"]).toBe("*");
   });
 
   it("includes CORS headers on 404 responses", async () => {
diff --git a/src/server.ts b/src/server.ts
@@ -160,7 +160,7 @@ const DEFAULT_MODELS = [
 const CORS_HEADERS: Record<string, string> = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "GET, POST, DELETE, OPTIONS",
-  "Access-Control-Allow-Headers": "Content-Type, Authorization",
+  "Access-Control-Allow-Headers": "*",
 };
 
 function setCorsHeaders(res: http.ServerResponse): void {
