Skip to content

Return explicit origin in CORS response when credentials are allowed#3137

Merged
Kludex merged 1 commit into
mainfrom
fix/cors-credentials-explicit-origin
Feb 14, 2026
Merged

Return explicit origin in CORS response when credentials are allowed#3137
Kludex merged 1 commit into
mainfrom
fix/cors-credentials-explicit-origin

Conversation

@Kludex

@Kludex Kludex commented Feb 14, 2026

Copy link
Copy Markdown
Owner

When allow_origins=["*"] and allow_credentials=True, the simple response path now returns the explicit request origin instead of *. This aligns with the preflight path, which already does this since #1113.

The previous approach inspected request headers (cookies) to decide when to echo the origin. This is unreliable - the server can't observe the client's credentials mode from request headers alone. Instead, we use allow_credentials as the signal, same as django-cors-headers and envoy-proxy.

Supersedes #1824, #2506, #3127, #3134.

@Kludex Kludex merged commit 02b6ed7 into main Feb 14, 2026
6 checks passed
@Kludex Kludex deleted the fix/cors-credentials-explicit-origin branch February 14, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant