Line 7 shows the flag on XMLHttpRequest that has to be set in order to make the invocation with Cookies, namely the withCredentials boolean value. By default, the invocation is made without Cookies. Since this is a simple GET request, it is not preflighted, but the browser will reject any response that does not have the Access-Control-Allow-Credentials: true header, and not make the response available to the invoking web content.
Ran into a bit of an edge case w/ GET requests being made where
withCredentials
is settrue
.https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
https://stackoverflow.com/questions/24687313/what-exactly-does-the-access-control-allow-credentials-header-do#comment48552925_24689738
Thanks for the awesome plugin!