CORS preflight request with invalid origin is not handled properly when custom origin check is set
See original GitHub issueDescribe the bug
CORS preflight request with invalid origin is handled differently if the origin is verified with a custom function. It seems that the processing of the request continues with standard engine.io verification and results in Bad handshake method
error (since only GET
is allowed in the handshake).
To Reproduce
Socket.IO server version: 4.1.2
Origin defined with custom function
Server
function verifyOrigin(origin, callback) {
if (origin === 'http://origin.ok') {
callback(null, true);
} else {
callback(new Error('Access not allowed from the specified origin: ' + origin), false);
}
}
const options = {
cors: {
credentials: true,
methods: ['GET', 'POST'],
origin: verifyOrigin
}
};
const io = require('socket.io')(options);
io.on("connection", socket => {
console.log('Socket connected.')
});
io.listen(3000);
CORS preflight imitation
// valid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.ok" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 08:28:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
// invalid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.wrong" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 400 Bad Request
Content-Type: application/json
Date: Sat, 29 May 2021 08:28:42 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
{"code":2,"message":"Bad handshake method"}
Origin defined statically
Server
const options = {
cors: {
credentials: true,
methods: ['GET', 'POST'],
origin: 'http://origin.ok'
}
};
const io = require('socket.io')(options);
io.on("connection", socket => {
console.log('Socket connected.')
});
io.listen(3000);
CORS preflight imitation
// valid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.ok" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 09:13:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
// invalid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.wrong" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 09:13:55 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expected behavior Correct response to the CORS preflight request in both cases.
Platform:
- Node: v14.17.0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Chapter 4. Handling preflight requests - CORS in Action
The concept of a preflight was introduced to allow cross-origin requests to be made without breaking existing servers that depend on the browser's...
Read more >CORS preflight request fails due to a standard header
After a lot of struggling, I finally found the problem. I configured a request mapping in Spring to handle OPTIONS traffic, like this:...
Read more >Cross-Origin Resource Sharing (CORS) - MDN Web Docs
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, ...
Read more >Configuring CORS - Apollo GraphQL Docs
You can enable credentials with CORS by setting the Access-Control-Allow-Credentials HTTP header to true . You must specify an origin to enable credentialed...
Read more >Resolve the "No 'Access-Control-Allow-Origin' header" ...
If CORS headers are not returned in the response, then the origin server is not correctly setup for CORS. Set up a CORS...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@andrejleitner well, it’s open source, 13 days are not that much 😄
Would you have time to open a pull request on the
cors
repository? Maybe it will be easier for the maintainer to acknowledge the issue if we already have a fix.Resolved in the discussion on
cors
side.TLDR: Invalid origin should be rejected by calling
callback(null,[])
, e.g.: