Omit non-credentialed CORS header

shuchenliu · shuchenliu · commit 49578408de36 · 2026-05-16T22:47:06.000-07:00
diff --git a/src/nodenorm/handlers/base.py b/src/nodenorm/handlers/base.py
@@ -7,7 +7,6 @@ class NodeNormalizationBaseHandler(BaseHandler):
     """Base handler that keeps the lightweight BioThings handler plus CORS."""
 
     cors_origin = "*"
-    cors_allow_credentials = "false"
     cors_methods = "GET, POST, HEAD, OPTIONS"
     cors_max_age = "600"
 
@@ -19,7 +18,6 @@ def set_default_headers(self):
         requested_headers = self.request.headers.get("Access-Control-Request-Headers")
 
         self.set_header("Access-Control-Allow-Origin", self.cors_origin)
-        self.set_header("Access-Control-Allow-Credentials", self.cors_allow_credentials)
         self.set_header("Access-Control-Allow-Methods", self.cors_methods)
         self.set_header("Access-Control-Allow-Headers", requested_headers or "*")
         self.set_header("Access-Control-Max-Age", self.cors_max_age)
diff --git a/tests/test_cors.py b/tests/test_cors.py
@@ -13,7 +13,7 @@ async def get(self):
 
 def assert_cors_headers(headers, allowed_headers="*"):
     assert headers["Access-Control-Allow-Origin"] == "*"
-    assert headers["Access-Control-Allow-Credentials"] == "false"
+    assert "Access-Control-Allow-Credentials" not in headers
     assert headers["Access-Control-Allow-Methods"] == "GET, POST, HEAD, OPTIONS"
     assert headers["Access-Control-Allow-Headers"] == allowed_headers
     assert headers["Access-Control-Max-Age"] == "600"
