search

joostfarla / serverless-cors-plugin

Serverless CORS Plugin - Managing Cross-origin resource sharing (CORS) policies
ISC License
70 stars 15 forks source link

Add Allow-Credentials Header to GET responses #3

Closed icereval closed 8 years ago

icereval commented 8 years ago

Ran into a bit of an edge case w/ GET requests being made where withCredentials is set true.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials

Line 7 shows the flag on XMLHttpRequest that has to be set in order to make the invocation with Cookies, namely the withCredentials boolean value. By default, the invocation is made without Cookies. Since this is a simple GET request, it is not preflighted, but the browser will reject any response that does not have the Access-Control-Allow-Credentials: true header, and not make the response available to the invoking web content.

https://stackoverflow.com/questions/24687313/what-exactly-does-the-access-control-allow-credentials-header-do#comment48552925_24689738

Thanks for the awesome plugin!

joostfarla commented 8 years ago

Thanks for this great contribution!

Could you provide a unit test for this edge case? Then I will merge it right away!

joostfarla commented 8 years ago

Perfect, thanx! :+1: