PouchDB-style apps call fetch with credentials: 'include' to maintain the CouchDB _session cookie. Without Access-Control-Allow-Credentials: true in the preflight response, the browser silently blocks the mutating request (Firefox HAR shows status 0, _securityState insecure). Switching cors/credentials to true forces enumerating allowed origins (wildcard + credentials is forbidden by the CORS spec). Listed are the common Vite/Next/etc. local dev ports plus the vaquant.at frontend.
2.3 KiB
2.3 KiB