You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.
Setting request origin by default is more risky for browsers, so refer to industry practice such as expressjs to set it to * by default.
Since turning on the cors plugin is a user action, the default value is set instead of the null value, because if you want the null value, you can just introduce the cors plugin.
The subtle difference is with the behaviors around credentials (cookies especially). A request with credentials answered with Access-Control-Allow-Origin: "*" will returns an error in browsers, but with the right Origin credentials are accepted....
provided that Access-Control-Allow-Credentials: true is specified, which wasn't and still isn't the case by default.
(In short: I agree with you that the change didn't change anything)
I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.
f31dac9
The text was updated successfully, but these errors were encountered: