Skip to content

CORSMiddleware does not provide explicit origin although Authorization header is present #1832

Open
@Kludex

Description

@Kludex

Discussed in #1823

Originally posted by gyusang August 26, 2022
When sending a CORS request with credentials, wildcard origin is rejected by the standard.
The CORS middleware handles this case when cookies are included, but is missing the case when Authorization header is present.

if self.allow_all_origins and has_cookie:
self.allow_explicit_origin(headers, origin)

Since Token authentication is also widely used these days, I believe explicit header should be returned when Authorization header is present.

Important

  • We're using Polar.sh so you can upvote and help fund this issue.
  • We receive the funding once the issue is completed & confirmed by you.
  • Thank you in advance for helping prioritize & fund our backlog.
Fund with Polar

Metadata

Metadata

Assignees

No one assigned

    Labels

    corsCross-Origin Resource Sharinggood first issueGood for beginnershelp wantedFeel free to help

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions