Request with credentials not working due to Origin: *

[jorygeerts]

As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials "when responding to a credentialed request, server must specify a domain, and cannot use wild carding".

CorsService::getCorsHeaders() currently has 'Access-Control-Allow-Origin' => '*',. If this where changed to 'Access-Control-Allow-Origin' => $request->headers->get('Origin') ?: '*', then credentialed requests will also work.

@vluzrmos is this a change you would be OK with? If so, would you like a pull request?

[vluzrmos]

Yes, I'll would be glad.

[jorygeerts]

OK, I'll send a PR shortly.

Would you also be open to setting the Access-Control-Max-Age response header? Perhaps based on a configuration value (cors_max_age for example)? Without that header, every API call gets its own preflight request, which isn't a huge problem but it isn't great either.

[jorygeerts]

As the project in which we're using this library moves on, we're finding that we need more configuration and flexibility (for now, setting Expose-Headers based on configuration and setting Vary to support multiple JS front-ends using the same back end). Based on the readme this "package stands to be free of configurations", it seems you do not want to take your project into that direction. Would you still like a PR with those changes? (In case your interested in what the changes are, you can see them at https://github.com/jorygeerts/lumen-cors/commits/master)

[vluzrmos]

No, I'm sorry for that. I really want to keep that package free of configurations. Did you have tried to do that on Barryvdh/LaravelCors or Nordsoftware/LumenCors ? By the way, you are free to rename my package to use on your way and republish that on packagist. You are also free to think a "non-configurable" way to do that things.