-
-
Notifications
You must be signed in to change notification settings - Fork 613
unexpected response headers #519
Comments
If supports credentials is false, the * is valid and does not need to return the actual host. By adding the header always, it means that the response can be cached with a reverse proxy. The Allow headers should be added I think, otherwise that might be a bug. But I think there are tests for that? |
Thanks for your reply Barry, much appreciated!
|
The laravel-cors/tests/GlobalMiddlewareTest.php Lines 141 to 167 in 4f92f55
|
Hi,
I'm trying to implement CORS in my Laravel application. At the moment, the correct headers are sent by the Nginx webserver, but implementing this in the application makes more sense I think.
However, I get some unexpected response headers, and cannot understand why that should be correct.
My (testing) config:
When sending a request with or without an
Origin
header present, the response headers always containsAccess-Control-Allow-Origin: *
. But why? A request without an Origin header should not return this header, and a request with a specificOrigin
value should return this value as value of theAccess-Control-Allow-Origin
key, at least to my understanding.When setting
supports_credentials
totrue
, it makes a bit more sense. When anOrigin
header is specified, it returns the value as expected (the value is set to the value specified in theOrigin
header). But when the requestOrigin
header is not set, and emptyAccess-Control-Allow-Origin
is returned (no value). This can't be right I think?Another issue is that
Access-Control-Allow-Headers
are never set in the response. According to the config, this should get managed byallowed_headers
, but that does not seem to work at all. I tried*
or a specific string, but no response header is set. I'm aware that this package is merely only a package for https://github.com/asm89/stack-cors, so if it makes more sense to ask these questions over there, please let me know (but I will have to test the original package to make it behavious the same).Please let me know if this makes any sense, or that it is just me missing something obvious...
Thanks
The text was updated successfully, but these errors were encountered: