You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow more wildcards in CORS when used without credentials
Enable Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers to use a wildcard, with the same restriction as placed upon wildcards in Access-Control-Allow-Origin. Namely, it can only be used for requests where the credentials mode is "omit".
The Authorization header still needs to be explicitly listed by Access-Control-Allow-Headers even with the wildcard.
This also makes the CORS cache wildcard-aware and updates some of the terminology around CORS caches to share more concepts.
Fixes#251 and fixes#252.
0 commit comments