expressjs/cors

CORS requests with credentials should forbid `*`

Open

#333 aberto em 19 de out. de 2024

Ver no GitHub
 (4 comments) (0 reactions) (0 assignees)JavaScript (476 forks)batch import
3.xbughelp wanted

Métricas do repositório

Stars
 (5.897 stars)
Métricas de merge de PR
 (Nenhuma PRs mesclada em 30d)

Description

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

  • Throw an error
  • Not set CORS response headers, i.e. rejecting the CORS request
  • Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Guia do colaborador