I added Authorization in the request header (see below) on Angular (Angular 12), and the browser (Firefox v.119.0b6) started sending OPTIONS preflight requests which seems like they're checking whether the authorization header is allowed or not since it includes Access-Control-Request-Headers: authorization in the preflight request header.
Here's how I added the Authorization header in the http-interceptor:
req = req.clone({ headers: req.headers.set('Authorization', `Bearer ${token}`) })
My question is if this is normal (and if so, my guess is that the lowercase 'a' made the browser think like it's a custom header?), or if there's something I need to change. The request went through fine on Firefox (Chrome/Edge doesn't work since I'm sending it from localhost), but I couldn't find anyone else mentioning this behavior.
I've checked with our other product (AngularJS + ASP.NET) which also sends the Authorization header, but it's not sending the OPTIONS preflight request.
Checked on Chrome with --disable-web-security turned on, it doesn't have the preflight requests either.