Closed cicnavi closed 1 year ago
Base: 38.83% // Head: 38.78% // Decreases project coverage by -0.05%
:warning:
Coverage data is based on head (
b02ea09
) compared to base (0948322
). Patch coverage: 0.00% of modified lines in pull request are covered.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
Hi - thanks for doing this. should the headers only be sent on approved origins that are registered in the client registry database, similar to how the userinfo endpoint does it?
I don't think so. For example, well-known should be (and is) available to anyone... 'userinfo' endpoint requires that a specific origin is returned in preflight request, so instead of '*', we return specific registered origin (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#credentialed_requests_and_wildcards)
Adding Access-Control-Allow-Origin header with value '*' will enable JS clients to get data from authn endpoints in cross-origin scenarios. This is in addition to already implemented CORS handling for 'userinfo' endpoint, which only allows registers origins for browser preflight CORS requests.
Fixes #189