[73] modify cors to allow including credentials #74
Conversation
explicitly define allowed methods and origins
jakubmanczak
left a comment
jakubmanczak
left a comment
There was a problem hiding this comment.
I don't like it being mandatory for local development, as most of the time you'd just specify 'localhost' anyway; this, or request origin reflection, should happen in dev builds by default.
| let layer = CorsLayer::new() | ||
| .allow_origin(frontend_origin.parse::<HeaderValue>().unwrap()) | ||
| .allow_methods([Method::GET, Method::POST, Method::DELETE, Method::PATCH]) | ||
| .allow_headers([CONTENT_TYPE]) |
There was a problem hiding this comment.
Wait, does it require us to specify allowed headers? Please tell me it doesn't. And let's not do that if we can avoid it.
There was a problem hiding this comment.
Sadly, it does.
There was a problem hiding this comment.
Can you tell me exactly why? How does this need manifest?
There was a problem hiding this comment.
When trying to make requests at browser level, errors are returned: this one and others relating to it. This forced me to define allowed origins, methods and headers.
There was a problem hiding this comment.
After testing this turns out to be true; I meant specifically Allowed-Headers, since the other ones are commonly seen and all. This is so extremely dumb. But yes, I concede. This works.
jakubmanczak
left a comment
jakubmanczak
left a comment
There was a problem hiding this comment.
I'd still have a think about that CORS origin reflection, but this will have to do.
Resolves #73