Open hueniverse opened 5 years ago
Hi Eran 👋
It’s been a while since I used it myself. Back when we created it to use it with Hoodie, we needed a CORS API which works universally for all origins and accepts authentication (Access-Control-Allow-Credentials: true
). If I recall correctly, just setting Access-Control-Allow-Origin: *
is not allowed in combination with Access-Control-Allow-Credentials: true
, so we set it dynamically to the request origin (see /index.js#L12).
I’ve never updated the module to the latest Hapi though since I stopped using it myself.
Does Hapi support this behavior out of the box now?
So this basically enables CORS while also disabling all of its protections?
Yes, you should not use it if your server uses cookies for authentication. I should probably put a big warning in the README 🤔
Can someone explain the purpose of this module? I'm confused.