Undefined origin should be treated as not allowed - discusson about cors HOT 4 CLOSED

Hello, and thank you for your issue. You can already provide a function to do this if you like. CORS is not a security mechanism to only allow certain things; it is created by web browsers so they can take input from the server side to increase the sharing of the content. Endpoints that are relying on the Origin to implement security restrictions are completely outside of the CORS spec and that is not what CORS is for. This module is here to implement the CORS as specified by the whatwg (originally from w3c), which is not to deny when there is no origin.

from cors.

Sorry, I didn't mean to close this issue. If you can show where in the cors spec it shows the change you would like to see, we'd be happy to make the change to follow the spec.

from cors.

I wasn't aware that the implementation comes from the w3c spec. Thanks for letting me know.

In that case, we can close the ticket.

from cors.

No problem 👍 . I'm sorry I may have come off strong at first; many people create issues and even barrage with security vuluns this module without understanding the purpose of CORS. To elaborate a bit on this module, the idea is that if you app.use(cors()) you are basically saying that "yes, I want to share everything on this site" -- it is perfect for static content and similar. One would not want to also have curl requests and similar server-to-server requests blocked now because they are not a web browser and set an Origin request header.

The latest from the spec is this:

However, if Access-Control-Allow-Origin is set to * or a static origin for a particular resource, then configure the server to always send Access-Control-Allow-Origin in responses for the resource — for non-CORS requests as well as CORS requests

So it specificly states we should send it for non-CORS request too (which would be requests without Origin request header, for example). I hope that helps!

from cors.