Access-Control-Allow-Origin set to * despite setting origins
See original GitHub issueNote: for support questions, please use one of these channels: stackoverflow or slack
You want to:
- report a bug
- request a feature
Current behaviour
Despite setting up origins to xxxx.yyyy.zzz.www:3000
in the socket.io
listener and the exact same address in the socket.io-client
connect method the Access-Control-Allow-Origin
is set to *
when starting the app. It happens only with GET
requests.
Steps to reproduce (if the current behaviour is a bug)
Start server side socket.io
with the following params:
exports.start = (server) => {
io = exports.socketio.socketio.listen(server, {
origins: 'https://xxxx.yyyy.zzz.www:3000'
rejectUnauthorized: false,
wsEngine: 'ws',
transports: ['websocket', 'polling']
});
exports.connect();
};
Start client side socket.io-client
with the following params:
let socket = socketIoClient.io.connect(
'https://xxxx.yyyy.zzz.www:3000',
{
secure: true,
rejectUnauthorized: false
});
Note: the best way to get a quick answer is to provide a failing test case, by forking the following fiddle for example.
Expected behaviour
When inspecting the headers of the socket.io
communication I expect the Access-Control-Allow-Origin
header to be set to https://xxxx.yyyy.zzz.www:3000
Current behaviour
The Access-Control-Allow-Origin
header is set to *
for GET
requests
Please ignore the fact on the above screen that it shows localhost
it happens on the production server too, but because of the security, I had to post the response without revealing the ip address (thank you)
Setup
- OS: Mac, Linux
- browser: Chrome
- socket.io version: 2.0.4
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Issue Analytics
- State:
- Created 6 years ago
- Reactions:3
- Comments:6 (3 by maintainers)
Top GitHub Comments
@FabianElsmer there are a few additional changes that we’d like to include in Socket.IO v3, but I think we’ll have a release candidate by next week.
@phffmn you can provide an array too:
In fact, all options are forwarded to the
cors
module. Reference: https://www.npmjs.com/package/cors#configuration-optionsI think this issue can now be closed.