Fix CORS: allow_credentials must be False for wildcard origins

CORS spec doesn't allow credentials with wildcard origins. This was causing 403 for all crossorigin module preloads. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-15 23:53:53 +01:00
parent 2ea8bbeafd
commit ff9736dbe6
1 changed files with 2 additions and 2 deletions
@@ -49,11 +49,11 @@ def create_app() -> FastAPI:
        redoc_url=None,
    )

-    # CORS - allow all origins
+    # CORS - allow all origins (credentials=False required for wildcard origin)
    app.add_middleware(
        CORSMiddleware,
        allow_origins=["*"],
-        allow_credentials=True,
+        allow_credentials=False,
        allow_methods=["*"],
        allow_headers=["*"],
    )