-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing CORS requests #9
Comments
There is actually a cors middleware already: Line 126 in 75dfe2a
|
No, that doesn't work because it doesn't respond with the origin; when you
|
That feature is by design, as allowing authenticated cross origin requests from any origin is a security issue. |
Isn't it up to the application owner to decide if it is a security issue? Even then, if you want to allow more than one origin, you will need to return something parametrized as above since you can only specify one origin. Perhaps adding a regex to the middleware would help? E.g. something like |
Yep, you are correct that the app owner can decide what they do and do not want to allow. However, the people that designed CORS, who know a lot more about security than I do, have specifically disallowed that case and so I am very reluctant to add a feature to Joey that makes it easy. An app owner that understands the consequences can always explicitly write code to make it possible, as you have done. While reading the spec I noticed that for the case where one wants authenticated access to resources from any origin the authors suggest using an access token explicitly passed with each request, as in OAuth. See the numbered lists in the Security section. If you want to allow more than one origin you can give a space-separated list of origins to the |
On the other hand, a package like https://github.com/antono/connect-cors already allows you to make "*" return the correct string. |
@wmertens that’s a great observation. We’ll try to find some time to study both solutions and make some changes to our existing .cors() app. |
I wrote this middleware to allow all CORS requests, just add .use(AllowAllCors) where you want it in the chain. I think this should be one of the default Apps, perhaps with configurability about what requests are allowed. Thoughts?
It's not super-tested but it seems to work 😊
The text was updated successfully, but these errors were encountered: