Browse Source

Remove Access-Control-Allow-Credentials header

This header is only relevant if dealing with authentication via cookies
or other methods in HTTP requests. The Pelias API intentionally doesn't
deal with authentication at all, assuming anyone who wants
authentication will deal with it using a service placed between Pelias
and end users.

Additionally the CORS spec [does not allow](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Credentialed_requests_and_wildcards)
specifying this header while setting a wildcard for
`Access-Control-Allow-Origin`, so it can cause problems in some cases.

Fixes https://github.com/pelias/api/issues/971
pull/982/head
Julian Simioni 7 years ago
parent
commit
a233e11d59
No known key found for this signature in database
GPG Key ID: 6DAD08919FDBF563
  1. 1
      middleware/cors.js
  2. 1
      test/ciao/CORS/headers_GET.coffee
  3. 1
      test/ciao/CORS/headers_OPTIONS.coffee

1
middleware/cors.js

@ -3,7 +3,6 @@ function middleware(req, res, next){
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.header('Access-Control-Allow-Headers', 'X-Requested-With,content-type');
res.header('Access-Control-Allow-Credentials', true);
next();
}

1
test/ciao/CORS/headers_GET.coffee

@ -6,4 +6,3 @@ path: '/'
response.should.have.header 'Access-Control-Allow-Origin','*'
response.should.have.header 'Access-Control-Allow-Methods','GET, OPTIONS'
response.should.have.header 'Access-Control-Allow-Headers','X-Requested-With,content-type'
response.should.have.header 'Access-Control-Allow-Credentials','true'

1
test/ciao/CORS/headers_OPTIONS.coffee

@ -7,4 +7,3 @@ method: 'OPTIONS'
response.should.have.header 'Access-Control-Allow-Origin','*'
response.should.have.header 'Access-Control-Allow-Methods','GET, OPTIONS'
response.should.have.header 'Access-Control-Allow-Headers','X-Requested-With,content-type'
response.should.have.header 'Access-Control-Allow-Credentials','true'
Loading…
Cancel
Save