koajs / cors Goto Github PK
View Code? Open in Web Editor NEWCross-Origin Resource Sharing(CORS) for koa
License: Other
Cross-Origin Resource Sharing(CORS) for koa
License: Other
At the moment the library does not allow handling the scenario in which the origin is not allowed to access the resource: it expects options. origin
to always return a string. That leads to developers having to come up with a "workaround" configuration (for example here or here) which is not ideal:
false/undefined
from origin
function causes the middleware to be completely ignored which seems to be a feature of this library as there's a unit test that proves this behaviour.null
is not a good practice because of security issues as described in this issue.If the request Origin
is not allowed, the middleware should be able to respond to pre-flight requests immediately with no Access-Control
headers being returned at all.
I want to config Access-Control-Allow-Origin
dynamically, while acquiring the configuration is an asynchronous operation.
If origin
is set to *
it is not sent. It doesn't matter if it's left as the default or set explicitly.
this my config
app.use(convert(require('koa-static')(__dirname + '/public')))
app.use(cors({
origin: function (ctx) {
return '*';
},
exposeHeaders: ['WWW-Authenticate', 'Server-Authorization'],
maxAge: 5,
credentials: true,
allowMethods: ['GET', 'POST', 'DELETE'],
allowHeaders: ['Content-Type', 'Authorization', 'Accept'],
}))
Error reporting when I access files under public
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
When using the default options, as the docs describe, without defining an origin
, the response will set Access-Control-Allow-Origin
to the request Origin
header.
Enable cors with default options:
origin: request Origin header
But if hit with a request that sets Origin: null
, then the response will be Access-Control-Allow-Origin: null
.
There's a lot of sources that say don't do this...
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
I'm not really an expert in this area, but would there be a better default behavior than..
// https://github.com/koajs/cors/blob/master/index.js#L66
origin = options.origin || requestOrigin;
... if the requestOrigin were null?
I am using koa/cors for a REST API I'm developing. I noticed that setting up a CDN didn't reduce the number of requests, so I started checking everything and eventually found that cors adds the Vary: Origin
header, which was preventing the CDN from working.
I don't know a lot about http headers and CORS internal workings so I just solved it by adding ctx.remove('Vary')
when setting Cache-Control
header. Maybe I'm doing something wrong but with that everything seems to work fine. I'd appreciate any guidance.
Thanks
GMT koa deprecated Support for generators will be removed in v3. See the documentation for examples of how to convert old middleware https://github.com/koajs/koa/blob/master/docs/migration.md at server\index.js:6:5
app.use(cors())
Specifically:
Can I do
const cors = require ('kcors');
var optCors = { 'some':'set','of':'options' }
var router = require('koa-router')({prefix: '/api'});
router.use( cors ( {optCors} ) );
or even
router.get('/someUrl', cors(), function* (next){
// some processing
})
instead of the standard documented app.use(cors())
Koa 2 is released. π
I think that CORS design is completely unnecessary, and so should be abandoned. I have laid down my arguments, if you think you know this issue pretty well, would you please look at it, and comment it.
https://github.com/jackzhp/CORS-should-retire
or
http://blog.sina.com.cn/s/blog_93b70ae70102wxe8.html
Hi all: I need proxy some custom headersοΌwhat should i do οΌthanksοΌ
Hi,
Loving the package so far! Well done.
The following code can be used to specify a specific origin for CORS using kcors
:
var cors = require('kcors');
// Configure cross-origin requests from localhost:3000
var config = {origin: 'http://localhost:3000'};
app.use(cors(config));
It would be great if we could specify more than one origin via an array:
var config = {origin: ['http://localhost:3000', 'http://mydomain.com']};
app.use(cors(config));
It's possible to specify multiple hosts using separate Access-Control-Allow-Origin
headers, e.g:
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Origin: http://mydomain.com
Can I submit a PR to add support for this?
Thanks!
Hi,
I have a situation where when I receive a response with an error status (in this case status 416), there are no CORS headers present on the response. It works fine with otherwise. Any idea why this could be?
Cheers,
Nick
In 677833d an unconditional yield next;
has been added at the end of the middleware. It is breaking preflight requests on our servers because in earlier versions the middleware chain stopped at this.status = 204
.
Hi
I want this project doesn't require additional typing library(which is @types/koa__cors) when coding in TypeScript. This could be solved by adding .d.ts
file. Any ideas?
String|Function(ctx)} origin Access-Control-Allow-Origin
, default is request Origin header
what is Function(ctx)
expect return value?
I tried
origin:ctx=>ctx.request.origin
It doesn't work.
does koa cors still maintains ? you guys need any help ? I am happy to collaborate
how do i set options
Please make this module spec-compliant :) An example where it is not that I noticed right away is that this module considers any request with an Origin
request header to be a CORS request--this is actually not the indicator of what is or isn't a CORS request. You can find more within the spec.
The biggest failure right now is this module doesn't correctly handle pre flight requests, as it makes a mistakes in the processing of section 6.2 (http://www.w3.org/TR/cors/#resource-preflight-requests), step 3:
If there is no Access-Control-Request-Method header or if parsing failed, do not set any additional headers and terminate this set of steps. The request is outside the scope of this specification.
If I send an OPTIONS
request with an Origin
request header and no Access-Control-Request-Method
request header, this module still adds CORS response headers.
You can find the spec here: http://www.w3.org/TR/cors/
node throws this exception
error: uncaughtException: Cannot find module '@koa/cors' date=Mon Nov 20 2017 08:02:33
when requiring this module
const cors = require('@koa/cors');
Is this module still updated?
Describe the bug
While scanning my React.js application's manifest file using Vulert for vulnerability checks, I identified an issue associated with your package.
Reference
Upon conducting a vulnerability scan, the following references were identified:
Vulert Scan Report: Vulert Report
CVE Reference: CVE-2023-49803
Mon, 26 Dec 2016 18:51:50 GMT koa deprecated Support for generators will been removed in v3. See the documentation for examples of how to convert old middleware https://github.com/koajs/koa/tree/v2.x#old-signature-middleware-v1x at src/app.js:18:4
When using ctx.throw
or ctx.assert
the cors headers are not sent back. Maybe I'm using it wrong but any help would be welcome :).
example:
router.post('/', (ctx) => {
let {name, jurisdiction, parentTitle} = ctx.request.body;
const project = ctx.request.body;
ctx.assert(name && jurisdiction && parentTitle, 400);
Thanks!
I don't understand why the latest commit sets the default Access-Control-Allow-Origin to *. This makes no difference to setting it as the request Origin, as both will break the browser's same-origin policy restrictions. The safest option is to default to empty, letting users specify the origin value themselves.
What is the reason it is not part of the default methods?
The headers don't seem to be getting set on the latest version of Koa 2 with node 6.2. Any ideas?
Hi guys, any plans to support Access-Control-Request-Private-Network?
original:
$ npm install @koa/cors@2 --save
new:
v2 latest:
$ npm install @koa/cors@2 --save
v3
$ npm install @koa/cors@3 --save
Please add a sentence to the documentation that it needs to be 'used' before the router, thanks!
see:
https://stackoverflow.com/questions/44775299/why-cant-koa-router-be-put-before-koa-cors
Grabbed from https://github.com/koajs/cors/blob/master/index.js#L59
Opened #44 for non async/await supported versions and #43 for a more up to date version.
#42 just fixes the test runner that was leaving connections hanging.
Can someone give a look on them please?
I use koa-socket-2.
'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I got it οΌhttps://github.com/koajs/cors/blob/master/index.js#L138
Originally posted by @slip-box in #71 (comment)
allowHeaders don't proxy custom headers [1] to koa middleware. [2]
[1]
server.applyMiddleware({
app,
cors: {
allowHeaders: ['authorization'],
},
})
[2]
export const app = new Koa()
app.use(async (ctx, next) => {
ctx.req.headers.authorization // this is undefined
})
I tried
app.use(cors({
origin: function (ctx) {
if (['https://www.example1.com', 'https://www.example2.com'].includes(ctx.get('Origin'))) {
return ctx.get('Origin');
}
return null;
}
}));
But it doesn't work, any solution ?
in https://www.npmjs.com/package/@koa/cors , it README shows
{String|Function(ctx)} origin
Access-Control-Allow-Origin, default is '*'
But in github, it README shows
- {String|Function(ctx)} origin
Access-Control-Allow-Origin, default is request Origin header
github version is actual behavior
The recent breaking change to fix this advisory fixes the scenario where an origin
is not specified but it breaks the scenario where it is.
If an Origin
is supplied in the request, the spec states the server "must return the origin for the specific client making the request" (i.e. the origin
passed in). All my apps and test suites are configured to expect this behaviour, however this library now returns *
instead.
Could you confirm that was the intended behaviour, to ignore the incoming request origin
in all scenarios?
If a browser sends an OPTIONS
request, but origin
it not match, now koajs/cors
will return 404 status code, due to https://github.com/koajs/cors/blob/master/index.js#L60
then the browser will warn 404, some user will confuse if they need to register an OPTION router.
should it return 204 here?
I don't find any clear description at SPEC:
https://www.w3.org/TR/cors 7.1.5 Cross-Origin Request with Preflight
and according to spec below, OPTIONS
should never return 404.
Responses to the OPTIONS method are not cacheable.
A 404 response is cacheable by default;
and Express will return 204, https://github.com/expressjs/cors/blob/master/lib/index.js#L178
might be better than kcors, especially since there's a koa-cors
that is no longer maintained
Β» npm audit
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Low β Regular Expression Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β debug β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β mocha [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β mocha > debug β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/534 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Critical β Command Injection β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β growl β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β mocha [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β mocha > growl β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/146 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 2 vulnerabilities (1 low, 1 critical) in 3653 scanned packages
2 vulnerabilities require semver-major dependency updates.
I read the code and felt puzzle about setting the status 204 forever for the result of options
request for Preflight Request. I thought it should be controlled by other components like a real backend( my one is django)
It would be greate if you can reply to give a hand. π
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.