expressjs/cors

CORS requests with credentials should forbid `*`

Open

#333 ouverte le 19 oct. 2024

Voir sur GitHub
 (4 commentaires) (0 réactions) (0 assignés)JavaScript (476 forks)batch import
3.xbughelp wanted

Métriques du dépôt

Stars
 (5 897 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

  • Throw an error
  • Not set CORS response headers, i.e. rejecting the CORS request
  • Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Guide contributeur