Cannot set CORS allowed headers.

### Preflight checklist

- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's [Code of Conduct](https://github.com/ory/cli/blob/master/CODE_OF_CONDUCT.md).
- [X] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/cli/blob/master/CONTRIBUTING.md).
- [X] This issue affects my [Ory Network](https://www.ory.sh/) project.
- [ ] I have joined the [Ory Community Slack](https://slack.ory.sh).
- [ ] I am signed up to the [Ory Security Patch Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).

### Describe the bug

Hello,

First off, thanks for the great package, I've loved my past experience with Ory OSS.

I'm having an issue in my project using the `ory proxy`. I'm using a react application to talk to the ory proxy and I have a third party client library that is trying to request CORS headers: `Authorization` (note capital 'A') and `X-Request-Id` with an `OPTIONS` pre-flight, which the ory proxy dis-allows as these are `non-standard` headers.

I haven't wrote a lick of Go really, but it looks like this is the suspect line:

https://github.com/ory/cli/blob/e5582fdfb10a4466800aa4d9e9fa0c8add334c5e/cmd/cloudx/proxy/proxy.go#L254



### Reproducing the bug

Make an OPTIONS request to the `ory proxy` for a non-standard Cors header.

Ex. `Access-Control-Request-Headers: authorization,x-request-id`

### Relevant log output

```shell
[cors] 2022/11/07 20:23:51 Handler: Preflight request  
[cors] 2022/11/07 20:23:51   Preflight aborted: headers '[Authorization X-Request-Id]' not allowed
```


### Relevant configuration

A slight tangent. I tried using the `-c` flag to set a config file, but I get a json parse error for the `.yaml`, like it's not expecting `yaml` for some reason, but json, when all the docs show `.yaml` config files?

I'm also not sure if the proxy respects any of those config values.

I also hoped that maybe setting the env variable SERVE_WRITE_CORS_ALLOWED_HEADERS='[\"content-type\", \"authorization\", \"Authorization\", \"X-Request-Id\"]' would do it, but to no avail.

### Version

    "@ory/cli": "^0.1.47",

### On which operating system are you observing this issue?

Linux

### In which environment are you deploying?

_No response_

### Additional Context

I'm not an expert on CORS or the `ory proxy` so I may be missing something obvious to forward the `OPTIONS` call to my down-stream server?

Or potentially a way for `ory proxy` to just ignore OPTIONS and forward to the down-stream server?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Cannot set CORS allowed headers. #261

Preflight checklist

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Cannot set CORS allowed headers. #261

Description

Preflight checklist

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions