expressjs/cors

CORS requests with credentials should forbid `*`

Open

#333 opened on Oct 19, 2024

View on GitHub
 (4 comments) (0 reactions) (0 assignees)JavaScript (5,897 stars) (476 forks)batch import
3.xbughelp wanted

Description

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

  • Throw an error
  • Not set CORS response headers, i.e. rejecting the CORS request
  • Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Contributor guide

Tech stack
javascriptnodejsexpress
Domain
apisecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic CORS knowledgeJavaScript
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
80
Research direction
Examine the source code of the cors middleware, particularly the logic that sets Access Control Allow Origin and Access Control Allow Credentials. Look at the options handling for 'credentials'. The specification links in the issue detail the forbidding of wildcard with credentials. Consider implementing one of the suggested approaches: throw an error or reflect the Origin header with Vary. Check existing tests to ensure compliance.