dont use wildcard allow origin header, allow credentials & send credentials on fetch (!18168) · Merge requests · Administrator / sourcegraph

Administrator requested to merge fix-cors-ping into main Feb 11, 2021

Created by: arussellsaw

This should be the final change, it's actually working already, but the browser still complains about CORS because of the headers returned. Specifically it doesn't like allowing a wildcard origin.

The reason it works is that we only really need the headers sent in the request, which are sent before it can determine if it's happy about CORS 😄

we now use r.Host as the allowed origin, and include credentials on the request.

dont use wildcard allow origin header, allow credentials & send credentials on fetch

Merge request reports