Invalid Access-Control-Request-Methods and Access-Control-Request-Headers HTTP headers

[ehmicky]

Describe the bug
@middy/http-cors sets the following HTTP response headers: Access-Control-Request-Methods and Access-Control-Request-Headers.

middy/packages/http-cors/index.js

Lines 154 to 165 in f50d235

	if (
	options.requestHeaders &&
	!existingHeaders.includes('Access-Control-Request-Headers')
	) {
	headers['Access-Control-Request-Headers'] = options.requestHeaders
	}
	if (
	options.requestMethods &&
	!existingHeaders.includes('Access-Control-Request-Methods')
	) {
	headers['Access-Control-Request-Methods'] = options.requestMethods
	}

However, the correct spelling of the former header is Access-Control-Request-Method (no s).

Additionally, those headers are meant to be set by the client (in the request), not the server (in the response). See MDN and the standard.

This is in contrast with Access-Control-Allow-Methods and Access-Control-Allow-Headers, which are correctly set.

Expected behaviour
This seems to indicate those two headers should not be set at all, removing the requestMethods and requestHeaders options.

Additional context
Note: Express CORS middleware does not set those headers either.