agrueneberg / corser Goto Github PK
View Code? Open in Web Editor NEWCORS middleware for Node.js
License: MIT License
CORS middleware for Node.js
License: MIT License
What am I missing? I follow the example but still getting pre-flight error
app.use(corser.create({
endPreflightRequests: false
}));
app.post('/resource/my-test', (req, res, next) => {
if(req.method === 'OPTIONS') {
res.writeHead(204);
res.end();
}
...
});
FTP is required to retrieve information from certain biological databases, e.g. ftp://ftp.ncbi.nlm.nih.gov/genomes/Viruses/Bundibugyo_ebolavirus_uid51245/NC_014373.faa
.
e.g. in Riak, meta-data can take the form of an http header: X-Riak-Meta-*
. Corser cannot proxy Riak effectively w/o this feature.
Hello!
I am using deployd (https://github.com/deployd/deployd) which is using corser for cors-requests.
I found out that Firefox 48 and Chrome 52 are different when sending Method-Options Requests. I have an API and a Client. The API and the Client do not share the same domain, so CORS Requests are used.
When deleting a resource on the API delete-method is used.
Firefox sends
access-control-request-method: DELETE
Chrome sends
access-control-request-method: DELETE
req.headers['access-control-request-headers']:
(empty string)
In line https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L129 the request-headers is used to find out if the browser wants to send custom headers. When this header is not send, the requestHeaders array is empty and the following https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L143 is true. But when using Chrome the header is present. The header "" (empty string) is searched but of course can't be found.
I am not sure but I think this is either a bug from chrome or from corser.
edit
Bug is from chrome. https://bugs.chromium.org/p/chromium/issues/detail?id=633729
Hey, I was reading through the docs for your npm module and got kinda stuck on the part where you explain the configuration Object.
I am working on a server that's supposed to be configured through a config file. I also want to make the origins I allow configurable. (Not just allow all of them by just calling corser.create()
as middleware).
However I got stuck on the type of the origins property. Also, can you insert an *
into the property of the config object to allow all origins anyway?
(Else I have to create some code to make sure everything works the way I want it too)
You might want to pimp your readme file a bit to make it more clear for people on how to use your module. I personally document all my code using JSDoc and then use a handy tool to write that JSdoc into markdown format. You can see the result of this in the documentation of my npm module called magister-tools.
The handy module I use to do this can be found is called jsdoc-to-markdown
However, please make sure to include the type of every property on the config Object and a clear description of what it does. Along with any special values you can put into the property etc. (like a * or something)
I recommend putting it into a markdown table like this for readability but that's totally up to you!
property-name | type | Description |
---|---|---|
Example | string |
An example string |
I realize not everyone has as much time as I do etc.
Awesome module BTW!
Content-Type
is only considered a simple header if its value is application/x-www-form-urlencoded
, multipart/form-data
, or text/plain
.
When corser is applied without the origins option, the ACAO header is set to *. However, if it is applied without the origins option AND the supportsCredentials option is enabled, the middleware silently reflects the requesting origin in the ACAO header. This leaves the application open to cross-domain attacks since any origin can read the response to credentialed requests.
The relevant portion of code is located at https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L163-L169
Allowing arbitrary origins to read credentialed responses is specifically forbidden in the CORS spec. I suggest warning the developer when the supportsCredentials option is enabled with an undefined origins option, or leaving the ACAO header as * and letting the cors-compliant browsers reject the cross-origin response due to improper CORS headers.
Awesome module, really love it and use it extensively. One thing you might want to consider is adding a .gitignore file to avoid pushing node_modules to git.
Typical content would look like:
node_modules
tmp
.DS_Store
npm-debug.log
Also you might want to remove the node_modules from git.
i have domain.tld or domain.tld:3000 acessing the ressource and i want both to be allowed, but in the origins i would like to specify domain.tld:* or something like that..
You can automatically test your module on travis (travis-ci.org), just add the .travis.yml file containing something like this:
language: node_js
node_js:
and sign up on travis-ci.org.
Hey there,
Great work on Corser. I just had one piece of feedback from my initial looking into it: is there a particular reason the origins
callback doesn't follow the typical Node (err, matches)
convention? Instead, its callback just takes (matches)
.
This may not be a big deal, but if you're deriving the answer async'ly and you get an error, there's no way to propagate this error here, e.g. to error logging middleware later in the pipeline. It also doesn't play nicely with async control flow tools and libraries.
Not a huge deal, just sharing this feedback. Great work again and thanks!
The documentation is unclear.
Below is my corser implementation. I understand that some of this might be redundant or unnecessary. I am just trying to find the magic setting to make the PUT request complete successfully:
app.use(corser.create({
corser.simpleRequestHeaders: corser.simpleRequestHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]),
corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]),
corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["Access-Control-Allow-Origin"]),
requestHeaders: corser.simpleRequestHeaders.concat(["X-Requested-With"])
}));
app.all('', function(request, response, next) {
response.header('Access-Control-Allow-Headers', 'Content-Type,X-Requested-With,Authorization,Access-Control-Allow-Origin');
response.header('Access-Control-Allow-Methods', 'POST,GET,PUT,DELETE,OPTIONS');
response.header('Access-Control-Allow-Origin', '');
next();
});
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.