There are two options here in terms of configuring allowed headers. If the headers array is not set everything is allowed, otherwise __*only*__ headers in the array is allowed. For example for an OData controller, if you want to allow 'Prefer' header, following setting has to be given:
```
[EnableCors(Headers = new string[] { "Accept", "Content-Type", "Origin", "Prefer" }
```
It is a usability problem that some headers such as "Origin" is a must have no matter what. Otherwise the follow up CORS request will be rejected.
Suggest to provider more flexible way in addition to current mechanism (nothing wrong with current one) to configure allow method, such as
1) allow add addition header based on a common group of header which is pre-set
2) allow single out header to reject
```
[EnableCors(Headers = new string[] { "Accept", "Content-Type", "Origin", "Prefer" }
```
It is a usability problem that some headers such as "Origin" is a must have no matter what. Otherwise the follow up CORS request will be rejected.
Suggest to provider more flexible way in addition to current mechanism (nothing wrong with current one) to configure allow method, such as
1) allow add addition header based on a common group of header which is pre-set
2) allow single out header to reject