CORS: Including credentials doesn't work due to Access-Control-Allow-Origin: *

apache / openwhisk-apigateway

Apache OpenWhisk API Gateway service for exposing actions as REST interfaces.

https://openwhisk.apache.org/

Apache License 2.0

64 stars 45 forks source link

CORS: Including credentials doesn't work due to Access-Control-Allow-Origin: * #254

Closed mhamann closed 7 years ago

mhamann commented 7 years ago

Based on CORS spec, the Access-Control-Allow-Origin header must be set to the domain of the origin request in order to be allowed when including credentials.

The gateway should get the domain for the incoming preflight request and respond with Access-Control-Allow-Origin: <domain.com>

mhamann commented 7 years ago

@alexsong93 can you take a look at this?