Hi,
We are using the server side integration with PayPal where in we make a call to our backend service to initiate the payment process. This service returns a 302 redirect which takes the end user to the Paypal screen.
Now our backend service calls is a protected service and hence we add a authorization header to the request. What we observe is that when the service returns a 302 redirect, the authorization header is added to the redirect request as well due to which the OPTIONS call to the paypal site fails with the error
Access to XMLHttpRequest at 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-123455677' (redirected from 'https://<our-service>/initiate') from origin 'null' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.
I would think that this is a fairly common scenario. Can you please guide us on whats happening here.
Thanks
