fix(security): Access-Control-Allow-Credentials is all CORS requests#4669
fix(security): Access-Control-Allow-Credentials is all CORS requests#4669bnevis-i merged 1 commit intoedgexfoundry:mainfrom bnevis-i:cors-header-tweak
Conversation
|
Note to reviewers. The diff is showing more deltas than there actually are. This PR is just pulling 3 CORS headers forward into a section that does not depend on the HTTP verb. |
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the GitHub App Integration for your organization. Read more. @@ Coverage Diff @@
## main #4669 +/- ##
=======================================
Coverage 41.84% 41.84%
=======================================
Files 105 105
Lines 9723 9723
=======================================
Hits 4069 4069
Misses 5308 5308
Partials 346 346 |
|
Moved to draft state. Somehow, even through the directives are there, they are not "taking". |
…ests Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>
|
Kudos, SonarCloud Quality Gate passed!
|
|
Ready for review again. Lesson learned. If you use add_header in a block, it forgets about the containing block's add_header directives :-( |
Access-Control-Allow-Credentials must be sent for non-preflight requests as well. Note that this PR has TAF approval to send extra headers in order to avoid complicated boolean logic in the nginx rules.
PR Checklist
Please check if your PR fulfills the following requirements:
BREAKING CHANGE:describing the break)Testing Instructions
TAF team will be testing: #4648
New Dependency Instructions (If applicable)