Automatic CORS preflight breaks when credentials are used.

[davidmason]

Automatic CORS preflight (added in 1.16.0) always returns header 'Access-Control-Allow-Origin': '*'. When using credentials, '*' is not accepted by browsers, and a specific allowed origin is needed instead.

When I define the options endpoint myself and try to return a specific origin, it appears that the automatic preflight takes precedence so the response still has '*'. I can't update above 1.15.0 because of this.

• If I specify my own options response for an endpoint, that should be used instead of the automatic one.
• I should be able to turn off the automatic CORS preflight (completely and/or per-endpoint).

EDIT: there are 2 places when the Access-Control-* headers are relevant - OPTIONS request, and in responseHeaders on a GET response. To get CORS with credentials working, I had to make sure I returned the right allowed origin and other access control headers from both of those.

I forget whether I tested overriding the default CORS in both these places at once.

[atropo]

@davidmason , I got the same problem.
How do you define the options endpoint?

Are you still using < 1.16.0 version?