Source
void applyCORSHeadersIfNecessary(Request req, Response resp) { if (req.isCORSRequest && !req.isPreflightRequest) { var lastPolicyController = _lastRequestController(); var p = lastPolicyController.policy; if (p != null) { if (p.isRequestOriginAllowed(req.innerRequest)) { resp.headers.addAll(p.headersForRequest(req)); } } } }