ACAO Origin reflection and Set-Cookie header in response

[jabberabbe]

Hi everyone and thanks for the effort you put into Starlette! It's a very well-designed piece of software.

I think I spotted an issue in CORSMiddleware. AFAICT, using the fetch API, credentials (including cookies) are saved only if credentials: 'include' is passed as a fetch() option. [Source: MDN]

If credentials: 'include' is passed to fetch, then Access-Control-Allow-Origin: * is not allowed as a valid response header. This is correctly handled in CORSMiddleware by reflecting the request Origin into the ACAO header if cookies were present in the request.

However, a credentialed request may not include cookies in the request but may require appropriate origin reflection if a response includes Set-Cookie headers. CORSMiddleware is not aware of this (code here). ACAO: * with Set-Cookie: .... triggers errors.

This can be temporarily fixed by using a wildcard allow_origin_regex.

Should I open an issue?