Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Unknown
Description
According to this: http://www.w3.org/TR/cors/#resource-preflight-requests
...when Access-Control-Allow-Credentials: true is set, the response Origin: must be the same as the request Origin (see bullet #7).
It doesn't say why in the RFC (that I could see), but I presume there are security implications.