Skip to content

dont use wildcard allow origin header, allow credentials & send credentials on fetch

Warren Gifford requested to merge fix-cors-ping into main

Created by: arussellsaw

This should be the final change, it's actually working already, but the browser still complains about CORS because of the headers returned. Specifically it doesn't like allowing a wildcard origin.

The reason it works is that we only really need the headers sent in the request, which are sent before it can determine if it's happy about CORS 😄

we now use r.Host as the allowed origin, and include credentials on the request.

Merge request reports

Loading