expressjs/cors

CORS requests with credentials should forbid `*`

Open

#333 aperta il 19 ott 2024

Vedi su GitHub
 (4 commenti) (0 reazioni) (0 assegnatari)JavaScript (476 fork)batch import
3.xbughelp wanted

Metriche repository

Star
 (5897 star)
Metriche merge PR
 (Nessuna PR mergiata in 30 g)

Descrizione

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

  • Throw an error
  • Not set CORS response headers, i.e. rejecting the CORS request
  • Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Guida contributor