Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cors) proper handling of the ACAC header #2451

Merged
merged 1 commit into from
Apr 25, 2017

Conversation

thibaultcha
Copy link
Member

Access-Control-Allow-Credentials used to systematically be set to
false if ACAC was *.

However, false is an invalid value for ACAC, which only accepts
true, and ACAO cannot be * when credentials are desired.

Replace #2243

Access-Control-Allow-Credentials used to systematically be set to
`false` if ACAC was `*`.

However, `false` is an invalid value for ACAC, which only accepts
`true`, and ACAO cannot be `*` when credentials are desired.

* if credentials are desired, ACAO will be set to the request's Origin
* ACAC never received `false` anymore
* tests from @thefosk in #2243, plus one more to ensure port is
  included in ACAO if present in the request's Origin.

Replace #2243
@thibaultcha thibaultcha merged commit ca1c6c5 into master Apr 25, 2017
@thibaultcha thibaultcha deleted the fix/cors-proper-acac-header branch April 25, 2017 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants