Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Should Access-Control-Allow-Credentials be true by default? #95

Closed
JakobKallin opened this issue Sep 25, 2015 · 1 comment
Closed

Should Access-Control-Allow-Credentials be true by default? #95

JakobKallin opened this issue Sep 25, 2015 · 1 comment

Comments

@JakobKallin
Copy link

The default value for the credentials parameter is true, causing Access-Control-Allow-Credentials to be set to true. Should this really be the default? It seems to me that the purpose of the header is to require explicit opt-in (for developers who don't know about it or forget to consider it), but Rack CORS makes it opt-out instead.
@badnorseman
Copy link

Perhaps it would be a good idea to link to https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Credentials in documentation. It explains that origins * wouldn't work with credentials true.

@cesc1989 cesc1989 mentioned this issue Dec 22, 2016
Closed
cyu added a commit that referenced this issue Jul 15, 2017
@cyu
Default credentials option to false
dabc6d1 
[Fixes #95]
@cyu cyu closed this as completed Jul 15, 2017
@itzsaga itzsaga mentioned this issue May 12, 2020
Merged
@dependabot dependabot bot mentioned this issue Mar 13, 2021
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cyu @JakobKallin @badnorseman