From a233e11d59b4bfc0483033e5edc38e922fca0635 Mon Sep 17 00:00:00 2001
From: Julian Simioni <julian@mapzen.com>
Date: Fri, 8 Sep 2017 15:23:32 -0400
Subject: [PATCH] Remove Access-Control-Allow-Credentials header

This header is only relevant if dealing with authentication via cookies
or other methods in HTTP requests. The Pelias API intentionally doesn't
deal with authentication at all, assuming anyone who wants
authentication will deal with it using a service placed between Pelias
and end users.

Additionally the CORS spec [does not allow](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Credentialed_requests_and_wildcards)
specifying this header while setting a wildcard for
`Access-Control-Allow-Origin`, so it can cause problems in some cases.

Fixes https://github.com/pelias/api/issues/971
---
 middleware/cors.js                    | 3 +--
 test/ciao/CORS/headers_GET.coffee     | 1 -
 test/ciao/CORS/headers_OPTIONS.coffee | 1 -
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/middleware/cors.js b/middleware/cors.js
index d090f46f..6d30529f 100644
--- a/middleware/cors.js
+++ b/middleware/cors.js
@@ -3,8 +3,7 @@ function middleware(req, res, next){
   res.header('Access-Control-Allow-Origin', '*');
   res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
   res.header('Access-Control-Allow-Headers', 'X-Requested-With,content-type');
-  res.header('Access-Control-Allow-Credentials', true);
   next();
 }
 
-module.exports = middleware;
\ No newline at end of file
+module.exports = middleware;
diff --git a/test/ciao/CORS/headers_GET.coffee b/test/ciao/CORS/headers_GET.coffee
index 53866718..185838ab 100644
--- a/test/ciao/CORS/headers_GET.coffee
+++ b/test/ciao/CORS/headers_GET.coffee
@@ -6,4 +6,3 @@ path: '/'
 response.should.have.header 'Access-Control-Allow-Origin','*'
 response.should.have.header 'Access-Control-Allow-Methods','GET, OPTIONS'
 response.should.have.header 'Access-Control-Allow-Headers','X-Requested-With,content-type'
-response.should.have.header 'Access-Control-Allow-Credentials','true'
\ No newline at end of file
diff --git a/test/ciao/CORS/headers_OPTIONS.coffee b/test/ciao/CORS/headers_OPTIONS.coffee
index 5575391a..3cb47b37 100644
--- a/test/ciao/CORS/headers_OPTIONS.coffee
+++ b/test/ciao/CORS/headers_OPTIONS.coffee
@@ -7,4 +7,3 @@ method: 'OPTIONS'
 response.should.have.header 'Access-Control-Allow-Origin','*'
 response.should.have.header 'Access-Control-Allow-Methods','GET, OPTIONS'
 response.should.have.header 'Access-Control-Allow-Headers','X-Requested-With,content-type'
-response.should.have.header 'Access-Control-Allow-Credentials','true'
\ No newline at end of file