Access-Control-Allow-Credentials and Access-Control-Allow-Origin

[dgendill]

I was working through this tutorial and serving my app on a local server. When I tried to call my contract I got the Access-Control-Allow-Origin error in the console. It looks like that issue was solved with this recent PR.

However, I think web3.js sets Request.credentials to 'include', which means we also need Access-Control-Allow-Credentials set true and replace the wildcard in Access-Control-Allow-Origin to a specific domain (Request.include can't be used with a wildcard](https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials). This was the error I was seeing...

So I think setting Access-Control-Allow-Origin to request.headers.origin and setting Access-Control-Allow-Credentials might be helpful.

[davidmurdoch]

Thanks for the PR, @dgendill! Looks like there is a Related issue at web3, too.

I'll need to add some tests for this and look into if we can conditionally set the Access-Control-Allow-Credentials header only when the client is asking for it (same with changing to * vs request.headers.origin). Feel free to add tests and conditional logic as we've got some other high-priority issues we currently working on.

Additionally, it is possible that request.headers.origin is undefined, so this case will need to be properly handled as well.

Thanks again!

[dgendill]

Thanks for taking a look at this, David, I'm glad to help. I added the check for the origin header, and a check to validating the preflight request.
I could be wrong, but it looks like there isn't a request header that is used to enable/disable the Access-Control-Allow-Credentials header in the response.

[davidmurdoch]

Really great work @dgendill! We'll take a closer look at this and get it merged in soon!

[davidmurdoch]

Merged in 9633943! Thanks again @dgendill for this excellent PR!

[dgendill]

Thanks, David!

[davidmurdoch]

@dgendill we at Truffle were all seriously impressed by your thoroughness in this PR. Thanks again!