Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Access-Control-Allow-Origin set to * despite setting origins

See original GitHub issue

Note: for support questions, please use one of these channels: stackoverflow or slack

You want to:

report a bug
request a feature

Current behaviour

Despite setting up origins to xxxx.yyyy.zzz.www:3000 in the socket.io listener and the exact same address in the socket.io-client connect method the Access-Control-Allow-Origin is set to * when starting the app. It happens only with GET requests.

Steps to reproduce (if the current behaviour is a bug)

Start server side socket.io with the following params:

exports.start = (server) => {
    io = exports.socketio.socketio.listen(server, {
        origins: 'https://xxxx.yyyy.zzz.www:3000'
        rejectUnauthorized: false,
        wsEngine: 'ws',
        transports: ['websocket', 'polling']
    });
    exports.connect();
};

Start client side socket.io-client with the following params:

let socket = socketIoClient.io.connect(
        'https://xxxx.yyyy.zzz.www:3000',
        { 
            secure: true, 
            rejectUnauthorized: false
        });

Note: the best way to get a quick answer is to provide a failing test case, by forking the following fiddle for example.

Expected behaviour

When inspecting the headers of the socket.io communication I expect the Access-Control-Allow-Origin header to be set to https://xxxx.yyyy.zzz.www:3000

Current behaviour

The Access-Control-Allow-Origin header is set to * for GET requests screen shot 2017-11-21 at 16 37 19 Please ignore the fact on the above screen that it shows localhost it happens on the production server too, but because of the security, I had to post the response without revealing the ip address (thank you)

Setup

OS: Mac, Linux
browser: Chrome
socket.io version: 2.0.4

Other information (e.g. stacktraces, related issues, suggestions how to fix)

Issue Analytics

State:
Created 6 years ago
Reactions:3
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

darrachequesnecommented, Oct 7, 2020

@FabianElsmer there are a few additional changes that we’d like to include in Socket.IO v3, but I think we’ll have a release candidate by next week.

0reactions

darrachequesnecommented, Nov 7, 2020

@phffmn you can provide an array too:

new Server(3000, {
  cors: {
    origin: ["https://example.com", "https://dev.example.com"],
    methods: ["GET", "POST"],
    allowedHeaders: ["content-type"]
  }
});

In fact, all options are forwarded to the cors module. Reference: https://www.npmjs.com/package/cors#configuration-options

I think this issue can now be closed.

Top Results From Across the Web

3 Ways to Fix the CORS Error — and How the Access-Control ...

Fix one: install the Allow-Control-Allow-Origin plugin. The quickest fix you can make is to install the moesif CORS extension .

How does the 'Access-Control-Allow-Origin' header work?

Access -Control-Allow-Origin is a CORS (cross-origin resource sharing) header. ... opens a door for cross-origin access by specific requesting origins.

Access-Control-Allow-Origin - HTTP - MDN Web Docs - Mozilla

The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.

The ultimate guide to enabling Cross-Origin Resource ...

To allow all origins to access the resources in the case of a public API, the Access-Control-Allow-Origin header can be set to *...

The Access-Control-Allow-Origin Header Explained

Access -Control-Allow-Origin is a CORS header. CORS, or Cross Origin Resource Sharing, is a mechanism for browsers to let a site running at ......