fix(cors): enable credentials, enumerate origins for PouchDB sessions
PouchDB-style apps call fetch with credentials: 'include' to maintain the CouchDB _session cookie. Without Access-Control-Allow-Credentials: true in the preflight response, the browser silently blocks the mutating request (Firefox HAR shows status 0, _securityState insecure). Switching cors/credentials to true forces enumerating allowed origins (wildcard + credentials is forbidden by the CORS spec). Listed are the common Vite/Next/etc. local dev ports plus the vaquant.at frontend.
This commit is contained in:
@@ -60,8 +60,8 @@ services:
|
||||
echo "cfg $$1/$$2 = $$3"
|
||||
}
|
||||
put_config chttpd enable_cors true
|
||||
put_config cors origins '*'
|
||||
put_config cors credentials false
|
||||
put_config cors origins 'http://localhost:8080,http://localhost:5173,http://localhost:3000,http://localhost:4173,https://vaquant.at'
|
||||
put_config cors credentials true
|
||||
put_config cors methods 'GET, PUT, POST, HEAD, DELETE'
|
||||
put_config cors headers 'accept, authorization, content-type, origin, referer, x-csrf-token'
|
||||
|
||||
|
||||
Reference in New Issue
Block a user