You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I suggest * should be the default Allowed CORS Origins config value. Null is not a CORS recommended value. With * configured the server will answer to any Origin. Also important is that with *, you can’t use the withCredentials header flag in the call, unless it’s from the same source (an app running from the server). If you need to use withCredentials and you are not running from the server, you need to set Allowed CORS Origins URLs in the config, so it's not an issue. The withCredentials header flag is to prevent cross-site token usage and hacking. It’s not really something we deal with. It would be used when using an external Auth provider, or if you are running a remote app. Even in those types of cases, all you have to do is enter the origin URL in the server config. See CORS statement on this subject:
The CORS request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of Access-Control-Allow-Origin, which doesn’t allow the use of credentials.
To correct this problem on the client side, ensure that the credentials flag’s value is false when issuing your CORS request.If the request is being issued using XMLHttpRequest, make sure you’re not setting withCredentials to true.If using Server-sent events, make sure EventSource.withCredentials is false (it’s the default value).If using the Fetch API, make sure Request.credentials is "omit". If, instead, you need to adjust the server’s behavior, you’ll need to change the value of Access-Control-Allow-Origin to grant access to the origin from which the client is loaded.
Additionally, the current default server config value is Null or an Empty string. I do not think this is a valid value.
CORS statement on using NULL:
Note: null should not be used: “It may seem safe to return Access-Control-Allow-Origin: “null”, but the serialization of the Origin of any resource that uses a non-hierarchical scheme (such as data: or file:) and sandboxed documents is defined to be “null”. Many User Agents will grant such documents access to a response with an Access-Control-Allow-Origin: “null” header, and any origin can create a hostile document with a “null” Origin. The “null” value for the ACAO header should therefore be avoided.”
It feels to me that using * is what we need and that using an empty value should default to *, this eliminating and empty value.
Thanks
The text was updated successfully, but these errors were encountered:
See CORS specs that supports this request Access-Control-Allow-Origin
I suggest
*should be the defaultAllowed CORS Originsconfig value.Nullis not a CORS recommended value. With*configured the server will answer to any Origin. Also important is that with*, you can’t use the withCredentials header flag in the call, unless it’s from the same source (an app running from the server). If you need to use withCredentials and you are not running from the server, you need to setAllowed CORS OriginsURLs in the config, so it's not an issue. The withCredentials header flag is to prevent cross-site token usage and hacking. It’s not really something we deal with. It would be used when using an external Auth provider, or if you are running a remote app. Even in those types of cases, all you have to do is enter the origin URL in the server config. See CORS statement on this subject:Additionally, the current default server config value is
Nullor anEmptystring. I do not think this is a valid value.CORS statement on using NULL:
It feels to me that using
*is what we need and that using an empty value should default to*, this eliminating and empty value.Thanks
The text was updated successfully, but these errors were encountered: