Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple cors middlewares on same request? #79

Open
olalonde opened this issue May 27, 2016 · 5 comments
Open

Multiple cors middlewares on same request? #79

olalonde opened this issue May 27, 2016 · 5 comments
Labels
ideas

Comments

@olalonde
Copy link

olalonde commented May 27, 2016
edited

I have an API where I want every path to be CORS-enabled for all origins except for /auth/connect/twitter because it uses a cookie based session.

I was wondering if it would be possible to make it so that the last cors() middleware always overrides precedent ones. E.g.

router.use(cors())
router.use(cors({ origin: 'http://mydomain.com' }))

should set the Access-Control-Allow-Origin to http://mydomain.com. Is that possible?
@sjberry
Copy link

sjberry commented Jun 3, 2016
edited

Running into the same issue. From what we can tell multiple calls to cors strictly append to the existing headers. While there may be a use case for this, not being able to override this behavior is a non-starter.

We don't want Access-Control-Allow-Origin to be *,http://example.com.

Probably just going to gut cors for now since this is time sensitive.

EDIT: You can specify preflightContinue to add specific header overrides using express' native .setHeader() on OPTIONS requests. This resolves our problem, but @olalonde's use case is still not possible so far as I can tell (it's obvious in the source code as to why this is the case and it's probably working as intended).

@olalonde
Copy link
Author

olalonde commented Jun 4, 2016
edited

Yes, I ended up doing something like this:

    const corsMiddleware = cors()
    router.use((req, res, next) => {
      if (req.path.match(/^\/auth\/connect\//)) {
        // let later cors middleware handle it!
        return next()
      }
      return corsMiddleware(req, res, next)
    })

@troygoode
Copy link
Member

I like your solution @olalonde

@ghost
Copy link

ghost commented Dec 7, 2017
edited by ghost

I was looking into the code for cors today and I think it might be supported out of the box. It appears that there are undocumented code that supports regular expressions and arrays. When you pass an object to cors() it calls the private function isOriginAllowed with what is inside the origin property if that is not a function. That supports Array and RegExp, so you could actually have a regular expression for your domain. And it will only add the Access-Control-Allow-Origin Header if req.headers.origin matches

function isOriginAllowed(origin, allowedOrigin) {
    if (Array.isArray(allowedOrigin)) {
      for (var i = 0; i < allowedOrigin.length; ++i) {
        if (isOriginAllowed(origin, allowedOrigin[i])) {
          return true;
        }
      }
      return false;
    } else if (isString(allowedOrigin)) {
      return origin === allowedOrigin;
    } else if (allowedOrigin instanceof RegExp) {
      return allowedOrigin.test(origin);
    } else {
      return !!allowedOrigin;
    }
  }

@expressjs expressjs deleted a comment from ChanJit Jan 3, 2018
@expressjs expressjs deleted a comment from ChanJit Jan 3, 2018
@aman-ka
Copy link

aman-ka commented Apr 25, 2021

hey Hii every one i am new to opensource world can any one help me in making my first contribution in this library.by explaining it more to me and guiding me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ideas
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dougwilson @troygoode @olalonde @sjberry @aman-ka