When doing an XmlHttpRequest preflight check with credentials: true, browsers won't accept Access-Control-Allow-Origin: * as a passing response. It requires the value of the response header to explicitly include the value provided in the Origin request header.
It's easy enough to automatically copy the request's Origin to the response's Access-Control-Allow-Origin, but we should consider (and document) the security implications, and possibly making it an opt-in configuration option.
When doing an
XmlHttpRequestpreflight check withcredentials: true, browsers won't acceptAccess-Control-Allow-Origin: *as a passing response. It requires the value of the response header to explicitly include the value provided in theOriginrequest header.It's easy enough to automatically copy the request's
Originto the response'sAccess-Control-Allow-Origin, but we should consider (and document) the security implications, and possibly making it an opt-in configuration option.Related issue: #103