I programmed a Web-API using rust-axum and I made a client/frontend using just html and javascript Request. When I try to make a request from my client (opening the html file or serving a server e.g. via python -m http.serve) and making a request I got the following error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:3000/v1/auth/sign_in. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 405.
When I add .layer(CorsLayer::permissive()) to my server I can make the requests without any CORS issues, but I can’t set cookies anymore, which results in the users not beeing able to log in.
When I add .layer(CorsLayer::permissive().allow_credentials(true)) so I can set cookies again, I get the runtime error:
thread 'main' panicked at 'Invalid CORS configuration: Cannot combine `Access-Control-Allow-Credentials: true` with `Access-Control-Allow-Headers: *`', /home/mobergmann/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tower-http-0.4.4/src/cors/mod.rs:714:9
How can I change my configuration (client and/or server) so, that I can make Requests, not resulting in a CORS conflict, and be able to set cookies? The API should be public, meaning, that ay other user should be able to write their own client or hosts my client.