Comments (6)
dougwilson
commented on April 27, 2024
1
I don't think that is feasable with CORS. Have you verified? Because either the Cookie header or the Authorization header would be included in the CORS OPTIONS request by the web browser, which is the point at which the Origin header would need to be responded to. This is because the pre-flight request (OPTIONS method) only contains a small subset of headers that are defined in the CORS spec.
from cors.
dougwilson
commented on April 27, 2024
1
So the way CORS itself works (unrelated to this module) is that it's a "double-opt-in" system. The idea is that the client has no idea if the web server supports CORS and so it needs a way to probe that. What they did was create a "pre-flight" request whenever the original request was not a "safe request" -- that is, if the request is not one of the "simple verbs" and/or it contains auth-like headers like Cookie, Authortization, etc. So when that is the case, the web browser will first make that "pre-flight request" which is the veb OPTIONS and includes none of the body content and headers from the original request, and that request is where your decision needs to happen on what the Access-Control-Allow-Origin and etc. headers contain. If it doesn't contain the Origin then the web browser will fail and never make the original request.
Your example wants to decide between two cases that are both "non-safe" and thus they would both use a pre-flight, at which point, it would not be possible to tell which is which case but you need to supply a Access-Control-Allow-Origin to get the original request to be made, of course.
I hope that makes sense.
from cors.
fabis94
commented on April 27, 2024
@dougwilson Am I understanding you correctly - you're skeptical cause not all headers will be available for checking in that newly proposed origin calculation callback?
If so, I still think it's good enough, cause you can at least check some headers. The most important ones are the authorization & cookie headers, so as long as those are there, that's already very helpful.
from cors.
dougwilson
commented on April 27, 2024
I'm saying that AFAIK neither of those exact headers would be available, so your solution wouldn't work no matter if this was added or not. I'm asking if you verified that or not.
from cors.
fabis94
commented on April 27, 2024
@dougwilson I haven't verified this, no, it was my assumption that you'd get these headers like you would with a normal request. With this new information coming to light, the feature request might not make any sense anymore
from cors.
fabis94
commented on April 27, 2024
It does make sense, thank you
from cors.
Related Issues (20)
- No Configuration Options for Access-Control-Allow-Private-Network HOT 1
- CORS Error only on Mac HOT 2
- Cors origin RegExp issues HOT 10
- Option preflightContinue not working with origin function
- Array - set origin -Not working HOT 3
- Incorrect response when option origin is true and requestOrigin is undefined HOT 2
- "origin" is undefined when requests are received from the same server AND when malicious requests are sent from a program HOT 1
- Undefined origin should be treated as not allowed - discusson HOT 4
- Configure Allowed Headers as Array of RegExp
- DEMO is broken HOT 1
- Invalid Vary header in Access-Control-Allow-Headers HOT 2
- `OPTIONS` request handler missing `Allow` header HOT 13
- cors is hanging HOT 2
- CORS error when fonts
- Add support for having specified domain instead of wildcard HOT 3
- Request: callback for failed CORS HOT 5
- Cors error when connecting through ssh tunnel HOT 1
- I have random 'Access-Control-Allow-Origin' errors, even if i set origin: '*', is my usage correct ? HOT 3
- Add ability to omit `Vary: Origin` header HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.