companion: set Access-Control-Allow-Credentials only when request origin is whitelisted

examples/custom-provider/server/index.js

@@ -24,7 +24,6 @@ app.use((req, res, next) => {
     'Access-Control-Allow-Headers',
     'Authorization, Origin, Content-Type, Accept'
   )
-  res.setHeader('Access-Control-Allow-Credentials', 'true')
   next()
 })
 

examples/uppy-with-companion/server/index.js

@@ -22,7 +22,6 @@ app.use((req, res, next) => {
     'Access-Control-Allow-Headers',
     'Authorization, Origin, Content-Type, Accept'
   )
-  res.setHeader('Access-Control-Allow-Credentials', 'true')
   next()
 })
 

packages/@uppy/companion/src/standalone/index.js

@@ -101,6 +101,8 @@ app.use((req, res, next) => {
     // @ts-ignore
     if (req.headers.origin && whitelist.indexOf(req.headers.origin) > -1) {
       res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
+      // only allow credentials when origin is whitelisted
+      res.setHeader('Access-Control-Allow-Credentials', 'true')
     }
   } else {
     res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*')
@@ -114,7 +116,6 @@ app.use((req, res, next) => {
     'Access-Control-Allow-Headers',
     'Authorization, Origin, Content-Type, Accept'
   )
-  res.setHeader('Access-Control-Allow-Credentials', 'true')
   next()
 })