#330: Set 'access-control-allow-origin' to the requests origin in cas…

…e the "Access-Control-Allow-Credentials" is true
Rob--W · Mar 4, 2021 · fac9031 · fac9031
1 parent 9f1af82
commit fac9031
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
@@ -65,6 +65,11 @@ function withCORS(headers, request) {
     delete request.headers['access-control-request-headers'];
   }
 
+  //If "Access-Control-Allow-Credentials" is "true", "Access-Control-Allow-Origin" cannot be "*"!
+  //https://github.com/Rob--W/cors-anywhere/issues/330
+  if (headers['access-control-allow-credentials']) {
+    headers['access-control-allow-origin'] = request.headers['origin'];
+  }
   headers['access-control-expose-headers'] = Object.keys(headers).join(',');
 
   return headers;