I tested and am not seeing the problem. When I include an Origin header, I get back the appropriate Access-Control-Allow-Origin: * header. Here's an example using curl on the commandline:
* Trying 67.199.248.21...
* TCP_NODELAY set
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=4627013; street=Floor 5; street=139 5th Avenue; postalCode=10010; C=US; ST=New York; L=New York; O=Bitly, Inc.; CN=
api-ssl.bitly.com* start date: Jun 14 00:00:00 2017 GMT
* expire date: Jul 24 12:00:00 2018 GMT
* issuer: C=US; O=DigiCert Inc; OU=
www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
> GET /v3/shorten?access_token=REDACTED&longUrl=http%3A%2F%2Fgoogle.com HTTP/1.1
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 18 Jan 2018 18:33:14 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 165
< Connection: keep-alive
< Access-Control-Allow-Origin: *
<
Abdo, Thomas, if you try something similar, are you seeing the Access-Control-Allow-Origin header? Can you post exactly what you do see?
Regards,
---Peter
Peter Herndon
@Bitly