commit 3df82c4eeb72db90348e40514b280d96accdc833 Author: Peter Haight <peterh@giantrabbit.com> Date: Wed Oct 21 11:46:12 2020 -0700 Revert "Use wildcard for Access-Control-Allow-Origin" This reverts commit 9a7940ba9994789293b44c64632822cc849c918c. This didn't work because then we get this error in the browser: Access to fetch at 'https://donate-api.torproject.org/setExpressCheckout' from origin 'https://donate.torproject.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. --- src/AccessControlMiddleware.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/AccessControlMiddleware.php b/src/AccessControlMiddleware.php index d5b7381d..d900fa63 100644 --- a/src/AccessControlMiddleware.php +++ b/src/AccessControlMiddleware.php @@ -4,7 +4,7 @@ namespace Tor; class AccessControlMiddleware { public function __invoke($request, $response, $next) { - $response = $response->withHeader('Access-Control-Allow-Origin', '*'); + $response = $response->withHeader('Access-Control-Allow-Origin', $this->torSiteBaseUrl); $response = $response->withHeader('Access-Control-Allow-Credentials', 'true'); $response = $response->withHeader('Access-Control-Allow-Headers', 'Content-Type'); return $next($request, $response);