From fac9031ea5eaf3f5ba275a8275df17bd72c17aab Mon Sep 17 00:00:00 2001 From: Mario Sarcher Date: Thu, 4 Mar 2021 13:58:00 +0100 Subject: [PATCH] #330: Set 'access-control-allow-origin' to the requests origin in case the "Access-Control-Allow-Credentials" is true --- lib/cors-anywhere.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js index 0897f940..ce1944fd 100644 --- a/lib/cors-anywhere.js +++ b/lib/cors-anywhere.js @@ -65,6 +65,11 @@ function withCORS(headers, request) { delete request.headers['access-control-request-headers']; } + //If "Access-Control-Allow-Credentials" is "true", "Access-Control-Allow-Origin" cannot be "*"! + //https://github.com/Rob--W/cors-anywhere/issues/330 + if (headers['access-control-allow-credentials']) { + headers['access-control-allow-origin'] = request.headers['origin']; + } headers['access-control-expose-headers'] = Object.keys(headers).join(','); return headers;