-
-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for having specified domain instead of wildcard #310
Comments
I was digging through MDN docs on CORS, and happened to notice a specific CORS error that suggests an extra-partiuclar reason something like this might be useful: "Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*" That would make something like this handy. In the meantime, a second handler after the fact should help workaround this: app.use(function setSpecificOrigin(req, res, next) {
if (res.get('access-control-allow-origin') === '*') {
res.set('access-control-allow-origin', req.get('origin'))
}
next()
}) |
Hi, yes, it is a dance with the sec researchers, as they do want things to be secure, but also want cves under their name. And yes, if the response header of access-control-allow-origin is an asterisk to a preflight request, then a cors based client makes the second, real request it will not include credentials (cookie and authentication headers) with it, even if access-control-allow-credentials is true. |
If you want credentials to work from any origin, this module you can set |
What
We have a use case where we want to allow all domains
*
as origin, but we want library to set exact domain value (req.headers.origin) instead of*
inAccess-Control-Allow-Origin
header.The use-case comes as we also need to send credentials such as Cookies to the server. And, with
*
asAccess-Control-Allow-Origin
, you can't send credentials to the server.It can be done by adding another option such as
exactOriginIfMatches: true
:Current Behaviour*
Proposed Behaviour*
In that case, the behaviour will be same but the value of
Access-Control-Allow-Origin
will bereq.headers.origin
instead of*
. It will be helpful in sending credentials to the server.Let me know how does it sound? Will be happy to open a PR if that makes sense!
The text was updated successfully, but these errors were encountered: