kaxil commented on code in PR #67502:
URL: https://github.com/apache/airflow/pull/67502#discussion_r3317637444
##########
airflow-core/docs/security/api.rst:
##########
@@ -86,10 +86,12 @@ from scripts running in the browser.
access_control_allow_methods = POST, GET, OPTIONS, DELETE
access_control_allow_origins = https://exampleclientapp1.com
https://exampleclientapp2.com
-The ``Access-Control-Allow-Credentials`` header is included by default. Set
-``access_control_allow_credentials = False`` if you have configured
-``access_control_allow_origins`` and do not want browsers to send credentials
-(cookies, ``Authorization`` header) with cross-origin requests.
+Airflow's API always responds with ``Access-Control-Allow-Credentials: true``
so the UI and
Review Comment:
Can we add a newsfragment about this please so it is prominent in the
release notes -- so if someone is relying on it, they know.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
