Comments (5)
You can check the value using res.get('Access-Control-Allow-Origin')
as part of your logic of course.
from cors.
Yes, the request goes through bc that is what the cors spec calls for. Remember that CORS it not an authn system, and should not ever be used as such. CORS is simply a system to tell web browsers if the response body/headers can be read by certain javascript actions.
It is not clear by what you really mean by CORS failing though, as just bc the headers are not set doesn't mean much as it reallt depends on what the client decides to do, so only the client (web browser) can determine if there is an actual failure or not.
Can you provide some example of what you are trying to achieve, exactly?
from cors.
Hi Doug. Honored by your extremely swift fast response. Thank you for the time (edit: and many years of hard work across Node.js ecosystem)!
We realize that CORS is not an authn system. But it still seems somewhat concerning that POST requests from external sites can hit us, and we'd like to lock this down a little more. We do have other CSRF mechanisms in place, but we'd feel safer doing some CORS validation server-side, & ending processing if it's not an expected origin.
I've found a tiny bit of discussion on the topic at the bottom of a stackoverflow... https://security.stackexchange.com/a/265002
from cors.
but we'd feel safer doing some CORS validation server-side, & ending processing if it's not an expected origin.
Ah.. unfortunately that was flagged as a vulun here bc that is authn behavior. It was removed so we don't have an active cve against the module. Unfortunately we cannot add this back bc according to the sec folks it will instill the idea that people can block requests with cors, which is unfortunately not true and there are a lot of holes in that and causes security issues bc folsk think it will work, especially when the module makes it seem thay way. The cors spec is to only add headers and not stop request processing. You can always add your own middleware right after the cors one to implement your own method to stop the request processing based on your own assessment. I hope thay helps.
from cors.
ACK. We've done so already. ;) Weird world. Forever indebted for much much much work of yours, & a very fast & great interaction on this. Thank you, closing.
from cors.
Related Issues (20)
- [Feature request] A more powerful custom origin calculation method depending on other headers HOT 6
- No Configuration Options for Access-Control-Allow-Private-Network HOT 1
- CORS Error only on Mac HOT 2
- Cors origin RegExp issues HOT 10
- Option preflightContinue not working with origin function
- Array - set origin -Not working HOT 3
- Incorrect response when option origin is true and requestOrigin is undefined HOT 2
- "origin" is undefined when requests are received from the same server AND when malicious requests are sent from a program HOT 1
- Undefined origin should be treated as not allowed - discusson HOT 4
- Configure Allowed Headers as Array of RegExp
- DEMO is broken HOT 1
- Invalid Vary header in Access-Control-Allow-Headers HOT 2
- `OPTIONS` request handler missing `Allow` header HOT 13
- cors is hanging HOT 2
- CORS error when fonts
- Add support for having specified domain instead of wildcard HOT 3
- Cors error when connecting through ssh tunnel HOT 1
- I have random 'Access-Control-Allow-Origin' errors, even if i set origin: '*', is my usage correct ? HOT 3
- Add ability to omit `Vary: Origin` header HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cors.