yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-12-28 23:57:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix CORS response headers.

Browse Source 
The combination of `Access-Control-Allow-Credentials: true` and
`Access-Control-Allow-Origin: *` is illegal for CORS specifications:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
This commit is contained in:
Alex Dupre 2022-06-22 09:36:48 +02:00 committed by Alexandre Bodin
parent 8b2108a940
commit 556c0e789d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/core/strapi/lib/middlewares/cors.js
View File

@ -40,7 +40,7 @@ module.exports = config => {
const requestOrigin = ctx.accept.headers.origin;
if (whitelist.includes('*')) {
return '*';
return credentials ? requestOrigin : '*';
}
if (!whitelist.includes(requestOrigin)) {