From: Diego Fioravanti Date: Sat, 16 Dec 2023 14:41:37 +0000 (+0100) Subject: Clarify that wildcard and credentials are mutually exclusive (#2210) X-Git-Tag: 0.34.0~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2a3df31f29ff4a6743d68cc140615598ffb494c;p=thirdparty%2Fstarlette.git Clarify that wildcard and credentials are mutually exclusive (#2210) Co-authored-by: Marcelo Trylesinski --- diff --git a/docs/middleware.md b/docs/middleware.md index 4ec25c3f..759c86d7 100644 --- a/docs/middleware.md +++ b/docs/middleware.md @@ -75,7 +75,7 @@ The following arguments are supported: * `allow_origin_regex` - A regex string to match against origins that should be permitted to make cross-origin requests. eg. `'https://.*\.example\.org'`. * `allow_methods` - A list of HTTP methods that should be allowed for cross-origin requests. Defaults to `['GET']`. You can use `['*']` to allow all standard methods. * `allow_headers` - A list of HTTP request headers that should be supported for cross-origin requests. Defaults to `[]`. You can use `['*']` to allow all headers. The `Accept`, `Accept-Language`, `Content-Language` and `Content-Type` headers are always allowed for CORS requests. -* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. +* `allow_credentials` - Indicate that cookies should be supported for cross-origin requests. Defaults to `False`. Also, `allow_origins`, `allow_methods` and `allow_headers` cannot be set to `['*']` for credentials to be allowed, all of them must be explicitly specified. * `expose_headers` - Indicate any response headers that should be made accessible to the browser. Defaults to `[]`. * `max_age` - Sets a maximum time in seconds for browsers to cache CORS responses. Defaults to `600`.