Why does the credentials CORS options accept only false?

[hamzahamidi]

Runtime

nodejs

Runtime version

v18.17.1

Module version

21.3.0

Used with

No response

Any other relevant information

No response

How can we help?

From the json schema here

   credentials: Validate.boolean().when('origin', { is: 'ignore', then: false }).default(false),

I'm trying to set the CORS credentials to true like:

      cors: {
        origin: ['*'],
        credentials: true,
        additionalHeaders: [
          'Accept',
          'Authorization',
          'Content-Type',
          'If-None-Match',
          'Access-Control-Allow-Credentials',
        ],
        additionalExposedHeaders: ['WWW-Authenticate', 'Server-Authorization', 'Access-Control-Allow-Credentials'],

Yet I get:

 '[1] "cors.credentials" must be one of [false]\x1B[0m',

[devinivy]

Unfortunately CORS doesn't permit you to use the wildcard * for origins while also allowing credentials: browsers wont allow it. This is described in some more detail here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

[hamzahamidi]

Thanks for the info. However, when I change the origin to a specific url. Somehow the origin still equals to ignore.

[devinivy]

If you could share some more code that would be useful! Are you configuring this on a route, or on the server?

[hamzahamidi]

It's on the server side. It's coming from this line

   const settings = internals.config([core.settings.routes, handlerDefaults, realm.settings, rulesConfig, config]);

At some point the value is changed to ignore

   config = Hoek.applyToDefaults(config, item, { shallow: ['bind', 'validate.headers', 'validate.payload', 'validate.params', 'validate.query', 'validate.state'] });

I couldn't catch when because it's called hundred of times.