Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Why run request handlers "successfully" if the request fails CORS?
See original GitHub issueIf a request fails CORS as specified by this module’s configuration, the module will not set the CORS headers on the response. However, it will still call next, causing the usual request handler to run. This can be a problem if the request is expensive to handle, or has side effects.
What is the thinking behind this? It seems reasonable to terminate the request immediately, or at least call next with an error, if it’s going to fail client-side due to the lack of CORS headers.
Here is a small project demonstrating this issue: https://github.com/mixmaxhq/cors-response-tester.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
HI @wearhere sure, feel free to make that PR. I’m a little confused, because it won’t even work for your use-case; a missing
Originheader won’t be a mismatch at all, just FYI. Also, I think the line references you gave are not at all where those check should go, because they would only apply to the dynamic origin function, not all the others like a static origin string, array, etc.Please be aware that this module supports all Node.js and not is Express-only, so you need to use only the Node.js API https://nodejs.org/dist/latest-v6.x/docs/api/http.html#http_class_http_serverresponse
Hi @wearhere you were asking, technically why the default behavior was the way it was, which is that the default is closest to the specification. We provide mechanisms to differ from the spec as I provided above for your use-case, so I hope that helps.
The CORS specification was never designed as a security mechanism to prevent routes from being called; it was only designed as a mechanism to allow a hole to be added to the cross-origin rules of browser user agents. The specification is designed such that a “CORS failure” should look exactly as if the server has no idea what CORS is–in which case the request will still go through.
I would suggest bring this up to the W3C if you would like implementers to implement it differently, and I would be happy to do so; this really isn’t the forum to get changes progressed through the specification 😃