Origin is not mirrored in CORS header when setting the first cookie

[SebastianBr]

Whenever a CORS request doesn't contain a cookie in the header, but we try to set one (set-cookie in the response header), the origin of the request is not mirrored in the response, leading to CORS errors.

        has_cookie = "cookie" in request_headers

        # If request or response includes any cookie headers, then we must respond
        # with the specific origin instead of '*'.
        if self.allow_all_origins and has_cookie:
            self.allow_explicit_origin(headers, origin)

I suggested a fix in this PR: #2675

[Kludex]

Can you post any reference that sustain your words? Also, links to CORS middleware from other frameworks will speed up the interactions here.

[SebastianBr]

Well, I have a different background than you guys and never dived deeply into frameworks that handle requests and cookies. So I cannot provide you with any proof from other frameworks.

I just learned how CORS work and I know that when you try to set cookies, the origin has to be mirrored, otherwise the browser will ignore it: https://stackoverflow.com/questions/46288437/set-cookies-for-cross-origin-requests

Make sure the HTTP headers Access-Control-Allow-Origin and Access-Control-Allow-Headers are set. Don't use a wildcard *

In my daily work I just experienced it. So I deep dived into your cors middleware and found that the origin is currently only mirrored when "cookie" is part of the request header. So in most cases, you won't experience this issue. But since we started to set cookies on a new domain, we didn't have "cookie" in the header and Access-Control-Allow-Headers was set to *

I patched this on our end and the issue disappeared.

[Kludex]

Let's continue the discussion on the PR.

I patched this on our end and the issue disappeared.

Well... This doesn't say much. Let's try to make sure the implementation is correct.