Open ConardLi opened 8 months ago
fengmk2
commented
8 months ago Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default. Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.
panva
commented
8 months ago Setting request origin by default is more risky for browsers
Could you please elaborate on this statement?
julienw
commented
7 months ago The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.
(In short: I agree with you that the change didn't change anything)
I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.
https://github.com/koajs/cors/commit/f31dac99f5355c41e7d4dd3c4a80c5f154941a11