Always set 'Access-Control-Allow-Credentials: true' in preflight response

andreasf · andreasf · commit b00dd98a1008 · 2018-09-03T15:25:22.000+02:00
diff --git a/lib/pact/mock_service/request_handlers/options.rb b/lib/pact/mock_service/request_handlers/options.rb
@@ -9,6 +9,7 @@ class Options < BaseRequestHandler
 
         HTTP_ACCESS_CONTROL_REQUEST_METHOD = "HTTP_ACCESS_CONTROL_REQUEST_METHOD".freeze
         HTTP_ACCESS_CONTROL_REQUEST_HEADERS = "HTTP_ACCESS_CONTROL_REQUEST_HEADERS".freeze
+        ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials".freeze
         ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin".freeze
         ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods".freeze
         ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers".freeze
@@ -30,6 +31,7 @@ def match? env
 
         def respond env
           cors_headers = {
+            ACCESS_CONTROL_ALLOW_CREDENTIALS => 'true',
             ACCESS_CONTROL_ALLOW_ORIGIN => env.fetch(HTTP_ORIGIN,'*'),
             ACCESS_CONTROL_ALLOW_HEADERS => env.fetch(HTTP_ACCESS_CONTROL_REQUEST_HEADERS, '*'),
             ACCESS_CONTROL_ALLOW_METHODS => ALL_METHODS
diff --git a/spec/lib/pact/mock_service/request_handlers/options_spec.rb b/spec/lib/pact/mock_service/request_handlers/options_spec.rb
@@ -23,6 +23,7 @@ module RequestHandlers
             subject { response[1] }
 
             it { is_expected.to include 'Access-Control-Allow-Methods' => 'DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH' }
+            it { is_expected.to include 'Access-Control-Allow-Credentials' => 'true' }
 
             context "with Origin" do
               it { is_expected.to include 'Access-Control-Allow-Origin' => 'foo.com' }
