Comments (4)
Hello, and thank you for your issue. You can already provide a function to do this if you like. CORS is not a security mechanism to only allow certain things; it is created by web browsers so they can take input from the server side to increase the sharing of the content. Endpoints that are relying on the Origin to implement security restrictions are completely outside of the CORS spec and that is not what CORS is for. This module is here to implement the CORS as specified by the whatwg (originally from w3c), which is not to deny when there is no origin.
from cors.
Sorry, I didn't mean to close this issue. If you can show where in the cors spec it shows the change you would like to see, we'd be happy to make the change to follow the spec.
from cors.
I wasn't aware that the implementation comes from the w3c
spec. Thanks for letting me know.
In that case, we can close the ticket.
from cors.
No problem 👍 . I'm sorry I may have come off strong at first; many people create issues and even barrage with security vuluns this module without understanding the purpose of CORS. To elaborate a bit on this module, the idea is that if you app.use(cors())
you are basically saying that "yes, I want to share everything on this site" -- it is perfect for static content and similar. One would not want to also have curl
requests and similar server-to-server requests blocked now because they are not a web browser and set an Origin
request header.
The latest from the spec is this:
However, if
Access-Control-Allow-Origin
is set to * or a static origin for a particular resource, then configure the server to always sendAccess-Control-Allow-Origin
in responses for the resource — for non-CORS requests as well as CORS requests
So it specificly states we should send it for non-CORS request too (which would be requests without Origin
request header, for example). I hope that helps!
from cors.
Related Issues (20)
- [Feature request] A more powerful custom origin calculation method depending on other headers HOT 6
- No Configuration Options for Access-Control-Allow-Private-Network HOT 1
- CORS Error only on Mac HOT 2
- Cors origin RegExp issues HOT 10
- Option preflightContinue not working with origin function
- Array - set origin -Not working HOT 3
- Incorrect response when option origin is true and requestOrigin is undefined HOT 2
- "origin" is undefined when requests are received from the same server AND when malicious requests are sent from a program HOT 1
- Configure Allowed Headers as Array of RegExp
- DEMO is broken HOT 1
- Invalid Vary header in Access-Control-Allow-Headers HOT 2
- `OPTIONS` request handler missing `Allow` header HOT 13
- cors is hanging HOT 2
- CORS error when fonts
- Add support for having specified domain instead of wildcard HOT 3
- Request: callback for failed CORS HOT 5
- Cors error when connecting through ssh tunnel HOT 1
- I have random 'Access-Control-Allow-Origin' errors, even if i set origin: '*', is my usage correct ? HOT 3
- Add ability to omit `Vary: Origin` header HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.