Invalid setup: you cannot set origins=* and credentials=true at the same time

[kxepal]

From CORS specification:

If the resource supports credentials add a single Access-Control-Allow-Origin header, with the value of the Origin header as value, and add a single Access-Control-Allow-Credentials header with the case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either the value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.

This is also noted in CouchDB docs.

[calvinmetcalf]

How does couch handle setting both of those options and what is the correct
set up?
On Aug 23, 2014 2:21 PM, "Alexander Shorin" [email protected]
wrote:

From CORS specification http://www.w3.org/TR/cors/#resource-requests:

If the resource supports credentials add a single
Access-Control-Allow-Origin header, with the value of the Origin header as
value, and add a single Access-Control-Allow-Credentials header with the
case-sensitive string "true" as value.

Otherwise, add a single Access-Control-Allow-Origin header, with either
the value of the Origin header or the string "*" as value.

The string "*" cannot be used for a resource that supports credentials.

This is also noted in CouchDB docs
http://docs.couchdb.org/en/latest/config/http.html#cors/origins.

—
Reply to this email directly or view it on GitHub
#2.

[kxepal]

@calvinmetcalf very easy: in this case CouchDB implicitly sets credentials=false without raising an error or logging that fact.

[calvinmetcalf]

from what you're saying it would sound like setting credentials=true does nothing but #4 seems to imply changing it does have an effect

[kxepal]

Yes, it does nothing, but it also doesn't doing what you're expected. That's why it's invalid (;