Always set 'Access-Control-Allow-Credentials: true' in preflight response

[andreasf]

Before sending credentials in cross origin requests, browsers expect the preflight response to contain the header Access-Control-Allow-Credentials: true.

According to the fetch spec, "credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication)." From the mock service's point of view, whenever an OPTIONS request asks to include the "Cookie" or "Authorization" headers via Access-Control-Request-Headers, the consumer expects Access-Control-Allow-Credentials in the response.

This pull request simply always sets the header in preflight responses.

Drawbacks:

• Header is sent even when the browser does not expect it. The browsers I have met were tough and will be able to cope.

Alternatives would be:

• Only send header if Access-Control-Request-Headers contains Cookie or Authorization
• Make CORS behavior configurable per interaction

[andreasf]

Closing and reopening to rerun Travis...

[bethesque]

Hi @andreasf, thanks for your clear explanation. I would prefer your first suggested alternative (Only send header if Access-Control-Request-Headers contains Cookie or Authorization). The code should be quite straightforward (just remember that rack headers have HTTP_ prepended to them, so they'll by HTTP_COOKIE and HTTP_AUTHORIZATION. Sorry if I'm telling you how to suck eggs here!)

[andreasf]

I implemented the first alternative, would you mind taking a look?

Because the handler responds to the preflight request, the actual headers (HTTP_COOKIE, HTTP_AUTHORIZATION) aren't there yet. Instead, the browser asks through HTTP_ACCESS_CONTROL_REQUEST_HEADERS whether the headers (and credentials) may be included.

[bethesque]

Looks great. Thanks. I will release as soon as I have a moment.