DEV Community

Discussion on: Understanding Cross-Origin Resource Sharing (CORS)

miguelmota profile image
Miguel Mota Author

I updated the sentence to be more clear. The Access-Control-Allow-Credentials header only needs to be present on the non-preflight response (the actual response). Cookies are only sent in the actual response. If the Access-Control-Allow-Credentials header is also present in the preflight response then cookies will still not be sent because it's the preflight response. Cookies are only sent in the non-preflight actual response.