Default CORs settings (allow-origin: * & allow-credentials: true) Breaks Ajax

[krismeister]

• Expected behaviour: By default OPTION show not have access-control-allow-credentials: "true" set by default.

• What actually happens: The default behavior of an endpoint in claudia rest has wildcard and allow-credentials true.

HTTP/2.0 200 OK
content-type: application/json
content-length: 0
date: Wed, 04 Mar 2020 18:11:26 GMT
x-amzn-requestid: 30853b72-2dc9-4734-9bcf-034dcfc63a6d
access-control-allow-origin: *         <<<< ISSUE
access-control-allow-headers: Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token
x-amz-apigw-id: I4JUTGEUoAMF8YA=
access-control-allow-methods: OPTIONS,GET,POST
access-control-allow-credentials: true       <<<< ISSUE
x-cache: Miss from cloudfront
.....

This combination of current default options:

access-control-allow-credentials: "true"
and
access-control-allow-origin: *  

Throws a security issue in ALL browsers during a cross domain AJAX request. To obey the security model, if access-control-allow-credentials: "true" then the access control must be a full origin access-control-allow-origin: https://test.com:5050

• Steps to reproduce the problem:

Start a new project with one end point, load it via ajax from a different domain.