agrueneberg / corser Goto Github PK

What am I missing? I follow the example but still getting pre-flight error

  app.use(corser.create({
    endPreflightRequests: false
  }));
  app.post('/resource/my-test', (req, res, next) => {
    if(req.method === 'OPTIONS') {
      res.writeHead(204);
      res.end();
    }
    ...
  });

FTP is required to retrieve information from certain biological databases, e.g. ftp://ftp.ncbi.nlm.nih.gov/genomes/Viruses/Bundibugyo_ebolavirus_uid51245/NC_014373.faa.

e.g. in Riak, meta-data can take the form of an http header: X-Riak-Meta-*. Corser cannot proxy Riak effectively w/o this feature.

Hello!

I am using deployd (https://github.com/deployd/deployd) which is using corser for cors-requests.

I found out that Firefox 48 and Chrome 52 are different when sending Method-Options Requests. I have an API and a Client. The API and the Client do not share the same domain, so CORS Requests are used.
When deleting a resource on the API delete-method is used.

Firefox sends
access-control-request-method: DELETE

Chrome sends
access-control-request-method: DELETE
req.headers['access-control-request-headers']: (empty string)

In line https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L129 the request-headers is used to find out if the browser wants to send custom headers. When this header is not send, the requestHeaders array is empty and the following https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L143 is true. But when using Chrome the header is present. The header "" (empty string) is searched but of course can't be found.

I am not sure but I think this is either a bug from chrome or from corser.

edit

Bug is from chrome. https://bugs.chromium.org/p/chromium/issues/detail?id=633729

Hey, I was reading through the docs for your npm module and got kinda stuck on the part where you explain the configuration Object.

I am working on a server that's supposed to be configured through a config file. I also want to make the origins I allow configurable. (Not just allow all of them by just calling corser.create() as middleware).
However I got stuck on the type of the origins property. Also, can you insert an * into the property of the config object to allow all origins anyway?
(Else I have to create some code to make sure everything works the way I want it too)

Suggestion

You might want to pimp your readme file a bit to make it more clear for people on how to use your module. I personally document all my code using JSDoc and then use a handy tool to write that JSdoc into markdown format. You can see the result of this in the documentation of my npm module called magister-tools.

The handy module I use to do this can be found is called jsdoc-to-markdown

If you want to do it your way it's fine

However, please make sure to include the type of every property on the config Object and a clear description of what it does. Along with any special values you can put into the property etc. (like a * or something)

I recommend putting it into a markdown table like this for readability but that's totally up to you!

It would be cool if you updated your README file but just an answer would do fine!

I realize not everyone has as much time as I do etc.

Awesome module BTW!

Content-Type is only considered a simple header if its value is application/x-www-form-urlencoded, multipart/form-data, or text/plain.

When corser is applied without the origins option, the ACAO header is set to *. However, if it is applied without the origins option AND the supportsCredentials option is enabled, the middleware silently reflects the requesting origin in the ACAO header. This leaves the application open to cross-domain attacks since any origin can read the response to credentialed requests.

The relevant portion of code is located at https://github.com/agrueneberg/Corser/blob/master/lib/corser.js#L163-L169

Allowing arbitrary origins to read credentialed responses is specifically forbidden in the CORS spec. I suggest warning the developer when the supportsCredentials option is enabled with an undefined origins option, or leaving the ACAO header as * and letting the cors-compliant browsers reject the cross-origin response due to improper CORS headers.

Awesome module, really love it and use it extensively. One thing you might want to consider is adding a .gitignore file to avoid pushing node_modules to git.

Typical content would look like:

node_modules
tmp
.DS_Store
npm-debug.log

Also you might want to remove the node_modules from git.

i have domain.tld or domain.tld:3000 acessing the ressource and i want both to be allowed, but in the origins i would like to specify domain.tld:* or something like that..

You can automatically test your module on travis (travis-ci.org), just add the .travis.yml file containing something like this:

language: node_js
node_js:

• 0.6
• 0.7

and sign up on travis-ci.org.

Hey there,

Great work on Corser. I just had one piece of feedback from my initial looking into it: is there a particular reason the origins callback doesn't follow the typical Node (err, matches) convention? Instead, its callback just takes (matches).

This may not be a big deal, but if you're deriving the answer async'ly and you get an error, there's no way to propagate this error here, e.g. to error logging middleware later in the pipeline. It also doesn't play nicely with async control flow tools and libraries.

Not a huge deal, just sharing this feedback. Great work again and thanks!

The documentation is unclear.

Below is my corser implementation. I understand that some of this might be redundant or unnecessary. I am just trying to find the magic setting to make the PUT request complete successfully:

app.use(corser.create({
corser.simpleRequestHeaders: corser.simpleRequestHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]),
corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["GET", "POST", "PUT", "DELETE", "OPTIONS"]),
corser.simpleResponseHeaders: corser.simpleResponseHeaders.concat(["Access-Control-Allow-Origin"]),
requestHeaders: corser.simpleRequestHeaders.concat(["X-Requested-With"])
}));
app.all('', function(request, response, next) {
response.header('Access-Control-Allow-Headers', 'Content-Type,X-Requested-With,Authorization,Access-Control-Allow-Origin');
response.header('Access-Control-Allow-Methods', 'POST,GET,PUT,DELETE,OPTIONS');
response.header('Access-Control-Allow-Origin', '');
next();
});