potiuk opened a new pull request, #67502: URL: https://github.com/apache/airflow/pull/67502
The `Access-Control-Allow-Origin: *` + `Access-Control-Allow-Credentials: true` combination is invalid per the CORS spec and browsers refuse to honour any response that does so. The previous fix (#66503) added an `access_control_allow_credentials` toggle so deployments could opt out, but `allow_credentials=False` breaks the UI on any deployment where API and UI are on different origins — so that knob has no realistic use case (see #67193 for the revert discussion). This PR takes the other route: drop the toggle, always send credentialed CORS, and reject `*` in `access_control_allow_origins` at startup with a clear `AirflowConfigException`. Operators get an immediate, descriptive error instead of debugging mysterious CORS failures in the browser. closes: #67193 --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Opus 4.7 (1M context) Generated-by: Claude Opus 4.7 (1M context) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
