Access-Control-Allow-Headers wildcard rejected in Firefox

[vinyll]

Similarly to #64 the implementation of 'Access-Control-Allow-Headers': '*' does not work on Firefox rejecting with a preflight error.

Example sending Access-Control-Request-Headers: authorization in Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3579/user. (Reason: missing token ‘authorization’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).[Learn More]

Works as expected on Chromium.
Also works on Firefox when explicitely using cors(app, "*", methods="*", headers=["Authorization"]) instead of headers="*"

[davidbgk]

@vinyll if you still have the use-case, can you provide a pull-request?

[vinyll]

I still have the use case and I use cors(app, "*", methods="*", headers=["*", "Authorization"]) in the app.
I can have a better look eventually :)

[davidbgk]

Do you think we should add these headers by default if methods="*"?