could anyone recommend a way to have the allowed-origins interceptor skip a particular route?

@ccann, you have full control over what interceptors are added. Leveraging Pedestal’s default-interceptors impl should be considered a convenience and may not be suitable for some use cases. By setting the :io.pedestal.http/interceptors key on the service map you take full control over what interceptors are added when. If you do this, though, you’ll need to add the router interceptor yourself.

okay yeah, thanks

Or you can just add the allowed-origins interceptor yourself in your routes and skip specifying the allowed-origins in your service map

the later is probably more confusing

the problem I’m having that led me to ask the question is that for my health check route (a GET request) I’m getting a NPE from my allowed-origins function

which is because there is no Origin header (i’m parsing the header with a regexp)

because the health check is coming from an AWS server not a browser

and apparently the pedestal cors interceptor calls the allowed-origins function before determining if the request type is :options https://github.com/pedestal/pedestal/blob/09dd88c4ce7f89c7fbb7a398077eb970b3785d2d/service/src/io/pedestal/http/cors.clj#L82

Yep, the allow-origin interceptor is added prior to the router and it is within the router where method-based matching is done

so I guess the “correct” behavior then for a missing Origin header is for the allowed-origins function to return truthy

because a browser is going to send Origin, and that’s what CORS is concerned with. If a server or curl doesn’t specify an origin that’s outside the concern of CORS

thinking out-loud here 🙂

sounds reasonable