fix: Fix CORS handling

isomorphic-git · Sep 20, 2018 · 9b84000 · 9b84000
1 parent 4fa1141
commit 9b84000
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -48,6 +48,7 @@ const cors = require('./micro-cors.js')({
   allowHeaders,
   exposeHeaders,
   allowMethods,
+  allowCredentials: false,
   origin
 })
 const allow = require('./allow-request.js')
@@ -86,6 +87,8 @@ async function service (req, res) {
     // Don't waste my precious bandwidth
     return send(res, 403, '')
   }
+
+  // Handle CORS preflight request
   if (req.method === 'OPTIONS') {
     return send(res, 200, '')
   }
@@ -120,4 +123,4 @@ async function service (req, res) {
   f.body.pipe(res)
 }
 
-module.exports = cors(service)
+module.exports = cors(service)
diff --git a/micro-cors.js b/micro-cors.js
@@ -1,5 +1,6 @@
 // MIT License
 // https://github.com/possibilities/micro-cors
+// source: https://github.com/possibilities/micro-cors/pull/42
 const DEFAULT_ALLOW_METHODS = [
   'POST',
   'GET',
@@ -26,11 +27,14 @@ const cors = (options = {}) => handler => (req, res, ...restArgs) => {
     maxAge = DEFAULT_MAX_AGE_SECONDS,
     allowMethods = DEFAULT_ALLOW_METHODS,
     allowHeaders = DEFAULT_ALLOW_HEADERS,
+    allowCredentials = true,
     exposeHeaders = []
   } = options
 
   res.setHeader('Access-Control-Allow-Origin', origin)
-  res.setHeader('Access-Control-Allow-Credentials', 'true')
+  if (allowCredentials) {
+    res.setHeader('Access-Control-Allow-Credentials', 'true')
+  }
   if (exposeHeaders.length) {
     res.setHeader('Access-Control-Expose-Headers', exposeHeaders.join(','))
   }