From 7dad17d91230685a4dca667240639b6197d83491 Mon Sep 17 00:00:00 2001
From: Martin Ossowski <martin.ossowski@trivago.com>
Date: Wed, 7 Oct 2015 15:22:47 +0200
Subject: [PATCH] compatibility with credentialed requests

---
 lib/middleware/response.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/middleware/response.js b/lib/middleware/response.js
index b182269..fd4a733 100644
--- a/lib/middleware/response.js
+++ b/lib/middleware/response.js
@@ -19,7 +19,8 @@ exports.drakovHeaders = function(req, res, next) {
 exports.corsHeaders = function(disableCORS) {
     return function(req, res, next) {
         if (!disableCORS) {
-            res.set('Access-Control-Allow-Origin', '*');
+            res.set('Access-Control-Allow-Origin', req.headers.origin || '*');
+            res.set('Access-Control-Allow-Credentials', 'true');
             res.set('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
         }
         next();