diff --git a/src/actual.js b/src/actual.js index 3fdfa68..448178c 100644 --- a/src/actual.js +++ b/src/actual.js @@ -12,6 +12,7 @@ var restify = require('restify'); exports.handler = function(options) { return restify.CORS({ + credentials: options.credentials, origins: options.origins, headers: options.exposeHeaders }); diff --git a/src/index.js b/src/index.js index 84fa0d6..a3a7e3f 100644 --- a/src/index.js +++ b/src/index.js @@ -7,6 +7,7 @@ module.exports = function(options) { if (! util.isArray(options.origins)) options.origins = ['*']; if (! util.isArray(options.allowHeaders)) options.allowHeaders = []; if (! util.isArray(options.exposeHeaders)) options.exposeHeaders = []; + if (options.origins[0] === '*') options.credentials = false; return { actual: actual.handler(options), diff --git a/test/cors.actual.spec.js b/test/cors.actual.spec.js index b763ffd..3cde03f 100644 --- a/test/cors.actual.spec.js +++ b/test/cors.actual.spec.js @@ -44,6 +44,32 @@ describe('CORS: simple / actual requests', function() { .end(done); }); + it('6.1.3 Does not set Access-Control-Allow-Credentials header if Origin is *', function(done) { + var server = test.corsServer({ + origins: ['*'], + credentials: true + }); + request(server) + .get('/test') + .set('Origin', 'http://api.myapp.com') + .expect(test.noHeader('access-control-allow-credentials')) + .expect(200) + .end(done); + }); + + it('6.1.3 Sets Access-Control-Allow-Credentials header if configured', function(done) { + var server = test.corsServer({ + origins: ['http://api.myapp.com'], + credentials: true + }); + request(server) + .get('/test') + .set('Origin', 'http://api.myapp.com') + .expect('access-control-allow-credentials', 'true') + .expect(200) + .end(done); + }); + it('6.1.4 Does not set exposed headers if empty', function(done) { var server = test.corsServer({ origins: ['http://api.myapp.com', 'http://www.myapp.com']