Description
Problem
To accept CORS requests on services running behind private ports, developers currently have to configure the service to accept credentials, even though they aren't actually using them. This is because Gitpod requires credentials to be sent, but when the response comes back from the service it will be rejected if it doesn't have the Access-Control-Allow-Credentials header.
Desired Behavior
For responses coming from private ports, Gitpod should automatically add the Access-Control-Allow-Credentials header, because it is Gitpod that is actually using the credentials, not the service behind the port. This makes private port usage more transparent. (A bonus would be to actually document what Gitpod is requiring in the requests to private ports, so people don't have to dig down the forums rabbit hole like I did in order to find out. EDIT: I just made gitpod-io/website#2164 for this.)
Alternatives
Force the developer (like how it works currently) to configure all services that need to support CORS through private ports to accept credentials and add the Access-Control-Allow-Credentials header on responses, even though they aren't actually using doing anything with the incoming credentials.
Context
https://community.gitpod.io/t/why-do-i-get-a-cors-error-but-only-if-my-port-is-private/5547
Thanks to geropl for explaining this undocumented behavior and suggesting this solution.