You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// List the hosts and ports which will be allowed to make cross-origin requests, // separated by commas (* by default).
context.initParameters("org.scalatra.cors.allowedOrigins") ="*"// By default, cookies are not included in CORS requests. Set this to `true` to allow cookies.
context.initParameters("org.scalatra.cors.allowCredentials") =true
The browser will block all the cross-domain request with these settings because allowedOrigins may not be a wildcard when allowCredentials is true. Based on CORS documentation, which states:
Credentialed requests and wildcards
When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.
scalatra-website has been updated to reflect this behavior in the documentation (scalatra/scalatra-website#181), but it would be better to change the default which is effectively broken.
Current defaults:
The browser will block all the cross-domain request with these settings because allowedOrigins may not be a wildcard when allowCredentials is true. Based on CORS documentation, which states:
scalatra-website has been updated to reflect this behavior in the documentation (scalatra/scalatra-website#181), but it would be better to change the default which is effectively broken.
Suggested new default:
With this default setting, CORS works as expected out of the box with a wildcard for allowedOrigins.
The text was updated successfully, but these errors were encountered: