I'm implementing CORS (Cross-origin resource sharing) in a framework.
I know that when an XMLHttpRequest request is made using Jquery's
So, if I do want to allow credentials when the client requests it, does it mean I can't, ever, use Access-Control-Allow-Origin:*?
The point of
Access-Control-Allow-Origin:* is that it lets you, with very little effort, grant access to every website. It lets you say "This data is public and anyone can access it".
If you require credentials to access the resource, then it doesn't make sense to say "This data is public and anyone can access it".
If you were to grant access to every website, then every website visited by someone logged into your site could read the data from it (effectively making it public).
So, you need to have a whitelist of trusted sites that are allowed to access the data and then check the Origin header before explicitly granting access to them.