3.xbughelp wanted
Repository-Metriken
- Stars
- (5.897 Stars)
- PR-Merge-Metriken
- (Keine gemergten PRs in 30 T)
Beschreibung
The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.
https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
https://fetch.spec.whatwg.org/#http-new-header-syntax
Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.
Instead, it could either:
- Throw an error
- Not set CORS response headers, i.e. rejecting the CORS request
- Use the
Originrequest header, if specified. TheVary: Originresponse header would need to be set too then.