improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

.. meta::
    :description:
        Table of contents for documentation on the Roundup Issue Tracker.

=======================================================
Roundup: an Issue-Tracking System for Knowledge Workers
=======================================================

For how to contact the community see https://www.roundup-tracker.org .

Contents
========

.. toctree::
   :maxdepth: 2

   features
   installation
   upgrading
   security
   FAQ
   user_guide
   customizing
   admin_guide
   security
   debugging
   xmlrpc
   rest
   tracker_templates
   glossary
   acknowledgements
   license
   Design Overview <overview>
   Design (original) <design>
   developers
   Notes about the MySQL Database backend <mysql>
   Notes about the PostgreSQL Database backend <postgresql>
   Richard Jones implementation notes <implementation>

See: https://wiki.roundup-tracker.org/ReleaseErrata for fixes to
documentation.

Indices
=======
 
* :ref:`genindex`