Add Cache Headers as permitted headers for CORS preflight: Fix issue #5354

[fatbattk]

No description provided.

[codecov]

Codecov Report

Merging #5396 into master will decrease coverage by 0.06%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #5396      +/-   ##
==========================================
- Coverage      94%   93.93%   -0.07%     
==========================================
  Files         127      127              
  Lines        9091     9091              
==========================================
- Hits         8546     8540       -6     
- Misses        545      551       +6

Impacted Files	Coverage Δ
src/middlewares.js	98.2% <ø> (ø)	⬆️
src/Adapters/Auth/httpsRequest.js	95.23% <0%> (-4.77%)	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	91.5% <0%> (-0.73%)	⬇️
src/RestWrite.js	93.27% <0%> (-0.36%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e0db6eb...0bf551f. Read the comment docs.

[acinader]

This looks good to me.

[acinader]

see my notes on the issue: #5354

further consideration

[acinader]

I think that the proposed change is likely fine, but in thinking about this, I am now concerned about

parse-server/src/middlewares.js

Lines 282 to 299 in 0bf551f

	export function allowCrossDomain(req, res, next) {
	res.header('Access-Control-Allow-Origin', '*');
	res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
	res.header(
	'Access-Control-Allow-Headers',
	'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, Content-Type, Pragma, Cache-Control'
	);
	res.header(
	'Access-Control-Expose-Headers',
	'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id'
	);
	// intercept OPTIONS method
	if ('OPTIONS' == req.method) {
	res.sendStatus(200);
	} else {
	next();
	}
	}

which allows * host to send authentication headers like master key and session id.

the fetch discussion I've been reading for context on this pr suggests that * for allowed hosts should not be permitted with authentication. Next step for me is to try and set up some tests to help me wrap my head around how this particular cors function would operate in real life. Any help would be greatly appreciated.

[acinader]

I'd like to get this merged in.

I have a concern around the * in the Access-Control-Allow-Origin given the authentication headers that are allowed; however, this change does not make that worse.

I'd like to get this merged in and would appreciate another set of eyes from the community to take a look at it and think it through.