Similarly to #64 the implementation of 'Access-Control-Allow-Headers': '*' does not work on Firefox rejecting with a preflight error.

Example sending Access-Control-Request-Headers: authorization in Firefox:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3579/user. (Reason: missing token ‘authorization’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).[Learn More]

Works as expected on Chromium.
Also works on Firefox when explicitely using cors(app, "*", methods="*", headers=["Authorization"]) instead of headers="*"