Made Origin header choosing logic more clear

Dmitriy Zaytsev · Dmitriy Zaytsev · commit 9d00070d7607 · 2025-01-27T12:32:30.000+03:00
diff --git a/include/crow/middlewares/cors.h b/include/crow/middlewares/cors.h
@@ -127,16 +127,25 @@ namespace crow
             set_header_no_override("Access-Control-Allow-Headers", headers_, res);
             set_header_no_override("Access-Control-Expose-Headers", exposed_headers_, res);
             set_header_no_override("Access-Control-Max-Age", max_age_, res);
+
+            bool origin_set = false;
+
             if (req.method != HTTPMethod::Options)
             {
-                if (allow_credentials_) set_header_no_override("Access-Control-Allow-Credentials", "true", res);
-                if (allow_credentials_ && origin_ == "*")
-                    set_header_no_override("Access-Control-Allow-Origin", req.get_header_value("Origin"), res);
-                else
-                    set_header_no_override("Access-Control-Allow-Origin", origin_, res);
+                if (allow_credentials_)
+                {
+                    set_header_no_override("Access-Control-Allow-Credentials", "true", res);
+                    if (origin_ == "*")
+                    {
+                        set_header_no_override("Access-Control-Allow-Origin", req.get_header_value("Origin"), res);
+                        origin_set = true;
+                    }
+                }
             }
-            else
+
+            if( !origin_set){
                 set_header_no_override("Access-Control-Allow-Origin", origin_, res);
+            }
         }
 
         bool ignore_ = false;
