Authorization breaks CORS support

Question

Authorization breaks CORS support

Opened this issue 4 years ago · 2 comments

It seems GCDWebServer, when configured to use Basic auth, requires the Authorization header on preflight (OPTIONS) requests. However, the spec states that browsers are not to send the Authorization header for preflight, so unfortunately I cannot use both CORS and authorization, as the preflight requests are rejected with 401 Unauthorized.

Refer to the CORS spec where it says preflight requests should "Exclude user credentials".

Answer 1 · 2020-05-23T13:48:28.000Z

Good catch, thanks for reporting.

Answer 2 · 2022-12-07T12:33:53.000Z

Still not solved? I have the same issue... the preflight maybe should return 204 status code to be able to support web browsers