From: Daniel Murrell Date: Thu, 5 Nov 2020 21:03:45 +0000 (+0000) Subject: 📝 Add note in CORS tutorial about allow_origins with ["*"] and allow_credentials... X-Git-Tag: 0.61.2~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5df00f3ec40e85e58c2b2b4e959c988be6412df0;p=thirdparty%2Ffastapi%2Ffastapi.git 📝 Add note in CORS tutorial about allow_origins with ["*"] and allow_credentials (#1895) --- diff --git a/docs/en/docs/tutorial/cors.md b/docs/en/docs/tutorial/cors.md index 6a694995a1..50b83969bc 100644 --- a/docs/en/docs/tutorial/cors.md +++ b/docs/en/docs/tutorial/cors.md @@ -58,7 +58,7 @@ The following arguments are supported: * `allow_origin_regex` - A regex string to match against origins that should be permitted to make cross-origin requests. eg. `'https://.*\.example\.org'`. * `allow_methods` - A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `['GET']`. You can use `['*']` to allow all standard methods. * `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for CORS requests. -* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. +* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. Also, `allow_origins` cannot be set to `['*']` for credentials to be allowed, origins must be specified. * `expose_headers` - Indicate any response headers that should be made accessible to the browser. Defaults to `[]`. * `max_age` - Sets a maximum time in seconds for browsers to cache CORS responses. Defaults to `600`.