For more context, please look into all the discussions on the parent task, as well as on T232176 and T261053
TLDR: It's been decided that by default REST API will set access-control-allow-credentials: false thus disallowing CORS requests with cookie authentication.
However, for the use-case described in the parent task, we need to be able to enable it on a per-handler basis.
Proposal
Introduce a new method in handler:
/** * Returns a list of domains for which to allow CORS requests with credentials. * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials * * @return string[] * @internal */ public allowCorsWithCredentialsForOrigins() : array { // Name TBD, I'm notoriously bad in naming. return []; }
By default the method would return an empty array, thus disallowing a cookie-authenticated CORS request. If the specific route handler needs it, it has to override the method, providing a list of origins allowed to do the requests.
Under the hood, if the returned list is not empty, the REST Framework will, for every request (including OPTIONS), check if the Origin header is present and is in the allowed list, and if it is, set Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin: <origin> - the origin needs to specifically match the Origin header, wildcards not allowed here by the standard.