[
https://issues.apache.org/jira/browse/COUCHDB-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joop Ringelberg closed COUCHDB-3020.
------------------------------------
Resolution: Not A Problem
It is a non-issue. Please see my comment on the issue itself. Briefly, I
confused server-side with client-side handling of the session token.
> Allow Set-Cookie header in CORS response
> ----------------------------------------
>
> Key: COUCHDB-3020
> URL: https://issues.apache.org/jira/browse/COUCHDB-3020
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Reporter: Joop Ringelberg
>
> Even if 'Set-Cookie' is added to the headers section of the CORS
> configuration , a response will NOT include it in the
> 'Access-Control-Expose-Headers' header. This means it is not possible to
> capture the AuthSession cookie in client code, even though CouchDB actually
> sends a Set-Cookie header. This is conform the 'fetch' specification
> (https://fetch.spec.whatwg.org/#cors-protocol, see 4.2.5 CORS protocol and
> credentials).
> It seems to me that this behaviour results from couch_httpd_cors.erl, lines
> 25 through 28, where the SUPPORTED_HEADERS variable is defined. This variable
> is used to filter the content of the headers section of the CORS
> configuration. It does not hold 'Set-Cookie'.
> Hence, my request is that this particular header is added to that variable.
> Regards, Joop
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
