-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 73.20
-
Fix Version/s: 73.22
-
Component/s: Technical / Transverse
-
Epic Link:
-
Tags:
-
Sprint:NOS 10.3.6
-
Story Points:3
nelson [11:38 AM]
while revisiting the VD live reload thingie I noticed we have hardcoded `Access-Control-Allow-Origin *` in https://github.com/nuxeo/nuxeo-connect-priv/commit/69f4ed4e0a6a48e25abc3830fe0e190718d7e1fd#diff-8585ec723cc2ae241846dfc380b209c1
thing is won't work for authenticated requests as browsers require servers to respond with an origin (not a wildcard)
CORS filters handles this by returning the origin here
I'm getting `Failed to load https://connect.nuxeo.com/nuxeo/site/studio/v2/project/nsilva-SANDBOX/workspace/ws.resources: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8080' is therefore not allowed access.`
rsertelon [11:41 AM]
So instead of `*` we should instead return the Origin sent by the browser, right?
nelson [11:47 AM]
Nuxeo's cors filter should take care of that with the righ cors config in place
if you set a wildcard in that config it will respond with the origin
rsertelon [11:48 AM]
ok, I see, thanks :slightly_smiling_face:
