Joop Ringelberg created COUCHDB-3020:
----------------------------------------
Summary: Allow Set-Cookie header in CORS response
Key: COUCHDB-3020
URL: https://issues.apache.org/jira/browse/COUCHDB-3020
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Reporter: Joop Ringelberg
Even if 'Set-Cookie' is added to the headers section of the CORS configuration
, a response will NOT include it in the 'Access-Control-Expose-Headers' header.
This means it is not possible to capture the AuthSession cookie in client code,
even though CouchDB actually sends a Set-Cookie header. This is conform the
'fetch' specification (https://fetch.spec.whatwg.org/#cors-protocol, see 4.2.5
CORS protocol and credentials).
It seems to me that this behaviour results from couch_httpd_cors.erl, lines 25
through 28, where the SUPPORTED_HEADERS variable is defined. This variable is
used to filter the content of the headers section of the CORS configuration. It
does not hold 'Set-Cookie'.
Hence, my request is that this particular header is added to that variable.
Regards, Joop
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
