角度CORS：OPTIONS预检后，PUT缺少授权标头

Question

我想将数据从Angular发送到Logstash HTTP输入中。由于Logstash HTTP输入无法正常处理CORS预检请求（can't disable basic authentication for OPTIONS），因此我想在Logstash前面使用nginx作为代理。我的nginx配置的相关部分如下：

location / {
    add_header 'Access-Control-Allow-Origin' *;
    add_header 'Access-Control-Allow-Credentials' true;
    add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,Keep-Alive,Content-Type,accept,origin,X-Requested-With';
    add_header 'Access-Control-Expose-Headers' 'Authorization,DNT,User-Agent,Keep-Alive,Content-Type,accept,origin,X-Requested-With,Content-Disposition';

    return 200;

    limit_except OPTIONS {
        auth_basic "Restricted access zone";
        auth_basic_user_file /etc/nginx/htpasswd;
        proxy_pass http://localhost:31311;  # logstash listens here
    }
}

这对于允许OPTIONS可以正常工作。相关的cURL输出（来自Chrome的“复制为cURL”功能：

> OPTIONS / HTTP/1.1
> Host: MUNGED
> Access-Control-Request-Method: PUT
> Origin: MUNGED
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-IL,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-US;q=0.6
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.80 Chrome/71.0.3578.80 Safari/537.36
> Accept: */*
> Referer: MUNGED
> Connection: keep-alive
> DNT: 1
> Access-Control-Request-Headers: content-type
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 25 Dec 2018 20:13:01 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET,HEAD,OPTIONS,POST,PUT
< Access-Control-Allow-Headers: Authorization,DNT,User-Agent,Keep-Alive,Content-Type,accept,origin,X-Requested-With
< Access-Control-Expose-Headers: Authorization,DNT,User-Agent,Keep-Alive,Content-Type,accept,origin,X-Requested-With,Content-Disposition

（我不确定Access-Control-Expose-Headers是否是必需的，但无论如何都无法工作...）

但是，由于某种原因，后续的PUT失败，因为未在请求中发送Authorization标头。相关的Angular代码如下所示：

const headers = new HttpHeaders();                                                                                                                                                  
headers.set('Authorization', 'basic ' + btoa(environment.eventUsername + ':' + environment.eventPassword));                                                                         
headers.set('Content-Type', 'application/json');                                                                                                                                    
this.httpClient.put(environment.eventTrackingUrl, event, { headers: headers }).subscribe();

但是，PUT标头看起来像这样（再次使用复制到cURL）：

> PUT / HTTP/1.1
> Host: MUNGED
> Origin: MUNGED
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-IL,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-US;q=0.6
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.80 Chrome/71.0.3578.80 Safari/537.36
> Content-Type: application/json
> Accept: application/json, text/plain, */*
> Referer: MUNGED
> Connection: keep-alive
> DNT: 1
> Content-Length: 144
> 
} [144 bytes data]
* upload completely sent off: 144 out of 144 bytes
{ [5 bytes data]
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.14.0 (Ubuntu)
< Date: Tue, 25 Dec 2018 21:03:34 GMT
< Content-Type: text/html
< Content-Length: 606
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted access zone"

没有授权标头...这导致PUT失败，并显示401。

关于Angular或浏览器为什么不发送Authorization标头的任何线索？