For the public API calls, our CORS usage should allow_origins=*.
When implementing the hypothesis integration, we changed things to be more restrictive as we were including credentials in requests, and that is incompatible with origins=*. There should be a way to configure things so that the restrictive origins are only applied to the hypothesis requests and not the rest of them.
For the public API calls, our CORS usage should
allow_origins=*
.When implementing the hypothesis integration, we changed things to be more restrictive as we were including credentials in requests, and that is incompatible with origins=*. There should be a way to configure things so that the restrictive origins are only applied to the hypothesis requests and not the rest of them.