Preload link should include the "crossorigin" attribute, if initial request uses CORS

[kgilden]

I've been trying to get Vulcain working in a situation where CORS is necessary. At the moment it seems to me that browsers are blocking preload requests, because the generated link headers do not include the crossorigin attribute (docs).

I'd propose adding crossorigin=anonymous, if the Access-Control-Allow-Origin header is present. And crossorigin=use-credentials, if the Access-Control-Allow-Credentials header is true (docs).

However, I'm not entirely sure what should happen, if the related resources are owned by different API-s (e.g. bookapi.com/book/1 is referencing authorapi.com/author/2). In that case the abovementioned could not be implied from the response headers.

Since the Link headers are added by Vulcain, there's no way for the upstream to handle this or is there?

[mabezdek]

Same problem, some solution?

[dunglas]

I don't think it will be possible to support cross-domain references. However, PR welcome add a config option to add crossorigin attributes.