Invalid setup: you cannot set origins=* and credentials=true at the same time

[kxepal]

From CORS specification:

If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.

This is also noted in CouchDB docs.

[calvinmetcalf]

How does couch handle setting both of those options and what is the correct set up? On Aug 23, 2014 2:21 PM, "Alexander Shorin" notifications@github.com wrote:

From CORS specification http://www.w3.org/TR/cors/#resource-requests:

If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.

This is also noted in CouchDB docs http://docs.couchdb.org/en/latest/config/http.html#cors/origins.

— Reply to this email directly or view it on GitHub https://github.com/pouchdb/add-cors-to-couchdb/issues/2.

[kxepal]

@calvinmetcalf very easy: in this case CouchDB implicitly sets credentials=false without raising an error or logging that fact.

[calvinmetcalf]

from what you're saying it would sound like setting credentials=true does nothing but https://github.com/pouchdb/add-cors-to-couchdb/pull/4 seems to imply changing it does have an effect

[kxepal]

Yes, it does nothing, but it also doesn't doing what you're expected. That's why it's invalid (;