Do not mention credentials as enabled by default in CorsRegistry

Credentials are not enabled by default contrary to the javadocs. The credentials support must be enabled via #allowCredentials. Closes gh-24691 Co-authored-by: Martin Dindoffer <martin.dindoffer@sigp.eu>
5 years ago · c11dd4a839
1 changed files with 2 additions and 3 deletions
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java
@ -42,9 +42,8 @@ public class CorsRegistry {
 	 *
 	 * <p>Exact path mapping URIs (such as {@code "/admin"}) are supported as
 	 * well as Ant-style path patterns (such as {@code "/admin/**"}).
-	 * <p>By default, all origins, all headers, credentials and {@code GET},
+	 * <p>By default, all origins, all headers and {@code GET}, {@code HEAD},
-	 * {@code HEAD}, and {@code POST} methods are allowed, and the max age
+	 * and {@code POST} methods are allowed, and the max age is set to 30 minutes.
 	 * is set to 30 minutes.
 	 *
 	 * <p>The following defaults are applied to the {@link CorsRegistration}:
 	 * <ul>