default config of origin: * and credentials: true seems invalid?Β #96
Description
Hey there, I'm not sure of the status of your plug here, hopefully you're still around. Thanks for your time on this library.
I ran into a small issue with the default config. If you don't consider this a bug, perhaps this paper trail will be helpful for some other future traveler.
When creating a request in browser-land javascript, like this:
fetch(url, {
credentials: true,
mode: "cors"
})By default CORSPlug gives an invalid response:
access-control-allow-origin: *
access-control-allow-credentials: true
[...]
Firefox fails with an ambiguous "null" and Chrome shows the message:
Access to fetch at '[url]' from origin '[other url]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
The MDN Article on Access-Control-Allow-Origin explains further:
For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error.
A behavior I have seen elsewhere is that when the origin is specified as '*', credentials is disabled. In that case, it's silently disabled, which bit me in a different way.