GCDWebServer icon indicating copy to clipboard operation
GCDWebServer copied to clipboard
verified publisher icon swisspol

Authorization breaks CORS support

Open diachedelic opened this issue 5 years ago • 2 comments

It seems GCDWebServer, when configured to use Basic auth, requires the Authorization header on preflight (OPTIONS) requests. However, the spec states that browsers are not to send the Authorization header for preflight, so unfortunately I cannot use both CORS and authorization, as the preflight requests are rejected with 401 Unauthorized.

Refer to the CORS spec where it says preflight requests should "Exclude user credentials".

diachedelic avatar May 07 '20 05:05 diachedelic

Good catch, thanks for reporting.

swisspol avatar May 23 '20 13:05 swisspol

Still not solved? I have the same issue... the preflight maybe should return 204 status code to be able to support web browsers

fabiosoft avatar Dec 07 '22 12:12 fabiosoft