How can I use multiple allowed origins?
Like https://github.com/expressjs/cors does...

Am I missing something?

I have this code below:

const microCors = require('micro-cors')
const { send } = require('micro')

const cors = microCors({ origin: 'https://google.com' })

const handler = (req, res) => {
  console.log('> RUN')
  send(res, 200, 'OK')
}

module.exports = cors(handler)

If I make a request in the client-side I receive a cors warning in my console, but still the code inside handler runs, it's not blocked. If I'm not making a request from https://google.com, the code shouldn't run and I should receive a warning in the client-side, right?

Getting

"Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request."

when I include any Content-Type or Authorization header. Works when Content-Type and Authorization headers are omitted. Ideas?

Hi. Thank you for your work

I am interesting about publishing beta v1 pre-release

Current version does not allows to works without correct implementation of pre flight.
Pre flight implemented in #48 but did not published.

Currently I made a fork where built the lib and pushed it as a commit. That is added
as dependency to application. This way in not nice. Let me know any more good
way to install pre release v1 micro-cors library.

Thanks

• We should set the Vary header to Origin iff dynamically setting the origin (i.e. origin is an array, regex, or function)
• When setting the Vary header, make sure to append if there's already a value in res.headers['Vary'] and simply set if no value
• add test('does not include Vary header for static origins')

Resources that wish to enable themselves to be shared with multiple Origins but do not respond uniformly with "*" must in practice generate the Access-Control-Allow-Origin header dynamically in response to every request they wish to allow. As a consequence, authors of such resources should send a Vary: Origin HTTP header or provide other appropriate control directives to prevent caching of such responses, which may be inaccurate if re-used across-origins.

https://www.w3.org/TR/cors/#resource-implementation

If CORS protocol requirements are more complicated than setting Access-Control-Allow-Origin to "*" or a static origin, Vary is to be used.

https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches

@lucasfischer, could you sum up your research so far? like possible ways to approach, etc. Doesn’t need to be too specific, we’ll discuss pros and cons of the different approaches.

Thanks for this module <3 Found the missing PATCH method bug on 0.0.4. It's fixed in master. npm publish recommended 👍

In order to bring this library up to the CORS spec, we need to accomplish the following tasks. Please review the spec and add to this list!!

Simple Cross-Origin Request, Actual Request, and Redirects

• If the Origin header in the request is not present, stop adding headers and run handler
• If the Origin header in the request does not match exactly, stop adding headers and run handler
• If allowCredentials is true, Set Access-Control-Allow-Origin to the value of the Origin header (is the client responsible for rejecting if Origin is *?)

Preflight Request

• Return empty response and don't run the handler #48
• Return 204 as empty response? Allow user to change response code?
• If the Origin header in the request is not present, stop adding headers and return empty
• If the Origin header in the request does not match exactly, stop adding headers and return empty

Dynamic Access-Control-Allow-Origin

• Allow user to set multiple origins in config #53
• Correctly use Vary header #58

Specification

• https://www.w3.org/TR/cors/#resource-requests
• https://www.w3.org/TR/cors/#resource-preflight-requests

Supplementary reading

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
• https://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server
• https://www.html5rocks.com/en/tutorials/cors/#toc-cors-server-flowchart
• https://github.com/expressjs/cors#configuration-options (this is not our spec, just an example of one implementation)

cc @bukinoshita @infernalmaster @lemol

request and request-promise are listed as dependencies.
This leads to an unnecessary bloated package size when installing micro-cors.

  "dependencies": {
    "request": "^2.81.0",
    "request-promise": "^4.2.0"
  },

micros are supposed to be light!

The README says to install using yarn add micro-api. This should be yarn add micro-cors.

Can you please update the code in npm, cors is eating the extra arguments in the current version but the one in github seems to be handling it correctly

Thanks

I see an already closed issue on this topic; I'm wondering what the solution to the problem is, and if there's something I am missing to get it to function correctly.

I am receiving this error after wrapping an axios.get request to a Google API endpoint.

https://www.npmjs.com/package/micro-cors

The NPM package for this repo lists the most recent version as 0.1.1, but the version in this repo is 1.0.0. Is it possible to publish the newest version to NPM?

There are a lot of online tutorials that reference micro and micro-cors on the Internet. With this package not having been updated in 3 years, it is a cause for concern for new developers looking to adopt micro and a CORS solution in their applications.

The problem may be reproduced with apollo-server.

bundle.esm.js:169 OPTIONS http://localhost:3000/graphql 405 (Method Not Allowed)
project:1 Access to fetch at 'http://localhost:3000/graphql' from origin 'http://localhost:8081' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
index.js:75 [Network error]: TypeError: Failed to fetch

The ApolloServer does not expect http method OPTIONS here
So with the current implementation it is not possible to make it worked.

The pull #53 solves this problem here

Using simple glob patterns

• If origin = * do nothing
• If origin matches https://*.domain.com evaluate and resolve origin on every request using Referer header
• If origin contains command, treat it as list of URIs, evaluate every item in list
• If no origin match, deny request with 400 Bad Request

Both code does not work since send does not exist. It's pretty simple to solve that, but I do believe it would be better to have a code that actually works in the readme

const cors = require('micro-cors')()
const handler = (req, res) => send(res, 200, 'ok!')

module.exports = cors(handler)

const microCors = require('micro-cors')
const cors = microCors({ allowMethods: ['PUT', 'POST'] })
const handler = (req, res) => send(res, 200, 'ok!')

module.exports = cors(handler)

const api = cors(microApi([ ... is working, but if i try on individual handler i am getting an error

TypeError: Cannot read property 'setHeader' of undefined

Sample repo https://github.com/vinaypuppal/micro-cors-error

My code:

import micro from 'micro'
import auth from './auth'
import routes from './routes'
import cors from 'micro-cors'

micro(cors(auth(routes))).listen(3000)

then I get

TypeError: "string" must be a string, Buffer, or ArrayBuffer
    at Function.byteLength (buffer.js:441:11)

can delete this one..

Change runHandlerOnOptionsRequest to runHandlerOnPreflightRequest

Why is version 1 based on babel? There's no strange code in it that needs to be transpiled. At the moment when the v1 is imported this error happens:

 ReferenceError: regeneratorRuntime is not defined

I'm also seeing that v1 is starving and I would be happy to help. Is there a list of issues I can work on? I can do some of the point in the spec, but some are question more than todos. Let me know.

The package.json says it is MIT licensed, but the actual LICENSE file is missing from the repository.