Comments (4)
Hi David, thanks for your detailed report! I'm currently busy with moving to a different state, but I will get back to you as soon as I can.
from corser.
I just had a quick look at the spec and you are right: I must have missed the big fat green Note: The string "*" cannot be used for a resource that supports credentials. The spec doesn't specify what to do in those cases, so your suggestions to fix the problem may not be enough to be compliant. Unfortunately, the initialization is synchronous, so we have to pick one of the ugly solutions of throwing or returning an error if origins: []
is paired with supportsCredentials: true
, unless there are some new developments I am not aware of (I haven't done any JS in almost two years).
from corser.
If you don't wish to throw an error then I would suggest leaving the ACAO header as the wildcard * rather than reflecting the origin. A compliant browser will refuse to share the response cross-origin due to the invalid CORS configuration, which is more secure than reflecting the origin.
from corser.
Sorry for getting back to you so late. I don't like either throwing an error or relying on compliance on the browser side (a lesson I've learned in #18). What do you think of generating a warning and flipping supportCredentials
to false
if origins: []
is paired with supportCredentials: true
? I'd hate to be the guy who has to figure out what's wrong if logging is not properly set up, but as far as I know it's not a commonly used feature anyway, so this may be the path of least harm...
from corser.
Related Issues (14)
- Support FTP HOT 1
- Content-Type is not always a simple header HOT 1
- Automatically terminate preflight requests
- Add addMethod / addRequestHeader / addResponseHeader convenience methods HOT 1
- NodeJS/Express PUT request failing with: No 'Access-Control-Allow-Origin' header is present on the requested resource HOT 6
- is there a way to add wildcard ports for the origins? HOT 3
- Chrome and Firefox behavior is different when making HTTP-DELETE CORS requests HOT 6
- Should allow regex's for permissible request and response headers. HOT 1
- [QUESTION] [SUGGESTION] HOT 6
- Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response. HOT 7
- add a .gitignore file HOT 1
- Add it to travis HOT 1
- Origins callback doesn't follow Node error convention? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from corser.