starlette icon indicating copy to clipboard operation
starlette copied to clipboard
verified publisher icon encode

fix: cors middleware mirrors origin in case no initial cookie is present

Open SebastianBr opened this issue 1 year ago • 3 comments

Summary

Whenever a CORS request doesn't contain a cookie in the header, but we try to set one (set-cookie in the response header), the origin of the request is not mirrored in the response, leading to CORS errors.

Checklist

  • [x] I understand that this PR may be closed in case there was no previous discussion. (This doesn't apply to typos!)
  • [x] I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • [x] I've updated the documentation accordingly.

SebastianBr avatar Aug 30 '24 08:08 SebastianBr

Please create a discussion.

Kludex avatar Sep 01 '24 19:09 Kludex

Done that https://github.com/encode/starlette/discussions/2684

SebastianBr avatar Sep 02 '24 06:09 SebastianBr

We can continue the discussion here.

I've checked the https://github.com/adamchainz/django-cors-headers implementation, and it doesn't look like they handle this case either.

Also, the Set-Cookie page on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie says in a warning the behavior I mention on the credentials.

Kludex avatar Sep 02 '24 08:09 Kludex