Apollo-server: CORS does not allow * wildcard with current apollo graphiql implementation

Created on 24 Aug 2017 · 8Comments · Source: apollographql/apollo-server

Expected:

Setup GraphQL endpoint with cors (default express setup)
Setup GraphiQL (default setup)
Allows querying

Actual:

Throws Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin '<location>' is therefore not allowed access.

Cause: https://github.com/apollographql/apollo-server/blob/master/packages/apollo-server-module-graphiql/src/renderGraphiQL.ts#L147

Source

diit

Most helpful comment

Can we get a feature bump on this so it can be used?
Not included in v1.1.2

diit on 31 Aug 2017

👍2

All 8 comments

Ooh, hmm.

Should we switch the default credentials to same-origin?

stubailo on 24 Aug 2017

https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials

CORS is not my strong suit but that appears to be the correct option. Unless this should be a config thing, as it appears that some people are using cookies while others need an API to be publicly accessible from arbitrary users.

diit on 24 Aug 2017

Oh I mean on the GraphiQL side - we can change the way it sends the cookies to avoid the error. We can replace include with same-origin

stubailo on 24 Aug 2017

Yes I agree, sorry if I wasn't clear.

diit on 24 Aug 2017

Awesome - mind sending a PR for that?

stubailo on 24 Aug 2017

👍1

Can we get a feature bump on this so it can be used?
Not included in v1.1.2

diit on 31 Aug 2017

👍2

Seems to be solved in v.1.1.6.