interfake icon indicating copy to clipboard operation
interfake copied to clipboard

Published 20 hours ago verified publisher icon basicallydan

Automatic CORS preflight breaks when credentials are used.

Open davidmason opened this issue 8 years ago • 1 comments

Automatic CORS preflight (added in 1.16.0) always returns header 'Access-Control-Allow-Origin': '*'. When using credentials, '*' is not accepted by browsers, and a specific allowed origin is needed instead.

When I define the options endpoint myself and try to return a specific origin, it appears that the automatic preflight takes precedence so the response still has '*'. I can't update above 1.15.0 because of this.

  • If I specify my own options response for an endpoint, that should be used instead of the automatic one.
  • I should be able to turn off the automatic CORS preflight (completely and/or per-endpoint).

EDIT: there are 2 places when the Access-Control-* headers are relevant - OPTIONS request, and in responseHeaders on a GET response. To get CORS with credentials working, I had to make sure I returned the right allowed origin and other access control headers from both of those.

I forget whether I tested overriding the default CORS in both these places at once.

davidmason avatar Jul 06 '16 23:07 davidmason

@davidmason , I got the same problem. How do you define the options endpoint?

Are you still using < 1.16.0 version?

atropo avatar Sep 13 '17 08:09 atropo