According to [1], the only valid value to the 'Access-Control-Allow-Credentials' header is "true" (case sensitive).
Currently, the allowCredentials() parameter in the CrossOrigin annotation is a string:
String allowCredentials() default "";
As a minor improvement for future Spring releases, it could be changed to:
boolean allowCredentials() default false;
(or, perhaps more conveniently, deprecate the current allowCredentials() and introduce a new boolean typed annotation parameter).
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
Affects: 4.2 to 6.0
Comment From: rstoyanchev
The way it's currently declared allows differentiating between it being set explicitly to false vs not set but defaulting to false. This is important when combining global CORS config with local config on a controller, or when combining class (including parents) with method level annotations. If higher level config is explicitly set to "true" and the local is "false", whether the local one is used depends on whether it was set explicitly or not.
@sdeleuze do you agree, and anything else I'm missing?
Comment From: belingueres
I see. So you need to specify three states in the annotation: true, false and "use the default or whatever is defined in an outer scope". As a result a boolean would not be enough, and to define some Enum to represent this...I don't know if it is worthwhile the change.
Comment From: rstoyanchev
We need the 3 states, yes, and can't use Boolean either, nor is an enum worth it. Thanks for the question anyway.
Comment From: sdeleuze
Yes I agree, sorry for the late feedback.