Open kxepal opened 10 years ago
How does couch handle setting both of those options and what is the correct set up? On Aug 23, 2014 2:21 PM, "Alexander Shorin" notifications@github.com wrote:
From CORS specification http://www.w3.org/TR/cors/#resource-requests:
If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.
Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.
The string "*" cannot be used for a resource that supports credentials.
This is also noted in CouchDB docs http://docs.couchdb.org/en/latest/config/http.html#cors/origins.
— Reply to this email directly or view it on GitHub https://github.com/pouchdb/add-cors-to-couchdb/issues/2.
@calvinmetcalf very easy: in this case CouchDB implicitly sets credentials=false without raising an error or logging that fact.
from what you're saying it would sound like setting credentials=true does nothing but https://github.com/pouchdb/add-cors-to-couchdb/pull/4 seems to imply changing it does have an effect
Yes, it does nothing, but it also doesn't doing what you're expected. That's why it's invalid (;
From CORS specification:
This is also noted in CouchDB docs.