Why does the credentials CORS options accept only false?
hamzahamidi opened this issue · comments
Runtime
nodejs
Runtime version
v18.17.1
Module version
21.3.0
Used with
No response
Any other relevant information
No response
How can we help?
From the json schema here
credentials: Validate.boolean().when('origin', { is: 'ignore', then: false }).default(false),
I'm trying to set the CORS credentials to true like:
cors: {
origin: ['*'],
credentials: true,
additionalHeaders: [
'Accept',
'Authorization',
'Content-Type',
'If-None-Match',
'Access-Control-Allow-Credentials',
],
additionalExposedHeaders: ['WWW-Authenticate', 'Server-Authorization', 'Access-Control-Allow-Credentials'],
Yet I get:
'[1] "cors.credentials" must be one of [false]\x1B[0m',
Unfortunately CORS doesn't permit you to use the wildcard *
for origins while also allowing credentials: browsers wont allow it. This is described in some more detail here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
If you could share some more code that would be useful! Are you configuring this on a route, or on the server?
It's on the server side. It's coming from this line
const settings = internals.config([core.settings.routes, handlerDefaults, realm.settings, rulesConfig, config]);
At some point the value is changed to ignore
config = Hoek.applyToDefaults(config, item, { shallow: ['bind', 'validate.headers', 'validate.payload', 'validate.params', 'validate.query', 'validate.state'] });
I couldn't catch when because it's called hundred of times.