Option to set `Timing-Allow-Origin` about cors HOT 4 CLOSED

Hi @dcherman Inever heard of that header before, that was a good learning about! Sorry your issue sat here for a while; I'm recently looking after this module so trying to go through everything.

That being said, I think that it is out of scope for this module, since it does not fall into the realm of http://www.w3.org/TR/cors/ and there are probably use-cases where someone would want them configured independently. But there is a easy implementation for your desired state:

var cors = require('cors')
var onHeaders = require('on-headers')

// ... all your stuff

app.use(function (req, res, next) {
  onHeaders(res, function () {
    var allowOrigin = res.getHeader('Access-Control-Allow-Origin')
    if (allowOrigin) {
      res.setHeader('Timing-Allow-Origin', allowOrigin)
    }
  })
  next()
})
app.use(cors())

I hope this helps!

from cors.

@dougwilson at the time that you wrote your response over six years ago, Timing-Allow-Origin was not part of the CORS standard (link).

In 2019, it was added to the standard (whatwg/fetch#955) and it is currently included in the living CORS standard.

Is it worth revisiting the decision not to add support for Timing-Allow-Origin in this library?

from cors.

Hi @jmpage yea, it is part of the fetch spec, but still outside of the CORS part of the spec. You can find the CORS part only in section 3.2 of fetch you linked. That entire spec is all of fetch, with CORS on the server side, what this module is, only being section 3.2 .

from cors.

Got it and great point, thank you for your feedback, Doug!

from cors.