In order to bring this library up to the CORS spec, we need to accomplish the following tasks. Please review the spec and add to this list!!

Simple Cross-Origin Request, Actual Request, and Redirects

• If the Origin header in the request is not present, stop adding headers and run handler
• If the Origin header in the request does not match exactly, stop adding headers and run handler
• If allowCredentials is true, Set Access-Control-Allow-Origin to the value of the Origin header (is the client responsible for rejecting if Origin is *?)

Preflight Request

• Return empty response and don't run the handler Adds successful response for OPTIONS requests without calling inner callback #48
• Return 204 as empty response? Allow user to change response code?
• If the Origin header in the request is not present, stop adding headers and return empty
• If the Origin header in the request does not match exactly, stop adding headers and return empty

Dynamic Access-Control-Allow-Origin

• Allow user to set multiple origins in config Allow regex and array origin to determine Access-Control-Allow-Origin #53
• Correctly use Vary header Correctly use Vary header #58

Specification

• https://www.w3.org/TR/cors/#resource-requests
• https://www.w3.org/TR/cors/#resource-preflight-requests

Supplementary reading

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
• https://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server
• https://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
• https://github.com/expressjs/cors#configuration-options (this is not our spec, just an example of one implementation)

cc @bukinoshita @infernalmaster @lemol