Bug: Chrome CORS deprecation warning: Authorization will not be covered by the wildcard symbol (*) in CORS Access-Control-Allow-Headers handling. #64
Description
Prerequisites
- I have searched the repository’s issues and Kinde community to ensure my issue isn’t a duplicate
- I have checked the latest version of the library to replicate my issue
- I have read the contributing guidelines
- I agree to the terms within the code of conduct
Describe the issue
Hi Kinde dev team,
The current TS SDK results in Chrome deprecation warning: Authorization will not be covered by the wildcard symbol (*) in CORS Access-Control-Allow-Headers handling.
This bug might not be directly linked to the TS SDK, but rather to the CORS header configuration of the Kinde auth server.
Currently, the Kinde server's response header is access-control-allow-headers: *, Kinde-SDK, which does not explicitly list Authorization in the allowed request headers list.
Due to the lack of explicit declaration of Authorization content in the Kinde server's response to OPTIONS request, Chrome browser could potentially prevent the bearer token from being sent to Kinde auth server, once this wildcard access-control-allow-header is fully deprecated.
See the pictures below for detailed OPTION request/response headers, as well as the Chrome deprecation warning:
Library URL
https://github.com/kinde-oss/kinde-typescript-sdk
Library version
release 2.9.1
Operating system(s)
Windows
Operating system version(s)
Win11 with Chrome 131.0.6778.70
Further environment details
No response
Reproducible test case URL
No response
Additional information
No response