unable to allow specific CORS origin for api

[DrWarpMan]

bug description

I believe setting cors=0 in the environment variables does not do anything.

Here we can see that when cors === '0', corsConfig is set to { origin: process.env.webURL, optionsSuccessStatus: 200 }.

Unfortunately, process.env.webURL will always be undefined, simply because apiMode is true only when process.env.webURL is undefined (see here).

[DrWarpMan]

I see that there is already an open PR for a "fresh start", so you should take this issue into consideration if you intend to use the same logic to choose between running api/web mode.

[DrWarpMan]

Could you possibly take this into consideration as well?
https://developer.mozilla.org/en-US/docs/Web/Manifest#deploying_a_manifest

When using authentication in front of the cobalt frontend, I am unable to retrieve the manifest file cause of the CORS issue.

"If the manifest requires credentials to fetch, the crossorigin attribute must be set to use-credentials, even if the manifest file is in the same origin as the current page."

Adding crossorigin="use-credentials" attribute here would fix this problem, not sure if this is the right solution.

[wukko]

hey! i've updated the env variable to be CORS_URL (just like in wip 8.0)

make sure you're on 7.10.3 and try again, lmk if it works this time.
(i tested locally and it worked fine but i still would love feedback)

[DrWarpMan]

Works.