Use explicit origin when with credentials

starlette/middleware/cors.py

@@ -158,10 +158,11 @@ async def send(
         headers.update(self.simple_headers)
         origin = request_headers["Origin"]
         has_cookie = "cookie" in request_headers
+        has_authorization_header = "authorization" in request_headers
 
         # If request includes any cookie headers, then we must respond
         # with the specific origin instead of '*'.
-        if self.allow_all_origins and has_cookie:
+        if self.allow_all_origins and (has_cookie or has_authorization_header):
             self.allow_explicit_origin(headers, origin)
 
         # If we only allow specific origins, then we have to mirror back

tests/middleware/test_cors.py

@@ -57,6 +57,15 @@ def homepage(request):
     assert response.headers["access-control-expose-headers"] == "X-Status"
     assert response.headers["access-control-allow-credentials"] == "true"
 
+    # Test Authorization header credentialed response
+    headers = {"Origin": "https://example.org", "Authorization": "Bearer some_token"}
+    response = client.get("/", headers=headers)
+    assert response.status_code == 200
+    assert response.text == "Homepage"
+    assert response.headers["access-control-allow-origin"] == "https://example.org"
+    assert response.headers["access-control-expose-headers"] == "X-Status"
+    assert response.headers["access-control-allow-credentials"] == "true"
+
     # Test non-CORS response
     response = client.get("/")
     assert response.status_code == 200