Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CORS preflight request with invalid origin is not handled properly when custom origin check is set
See original GitHub issueDescribe the bug
CORS preflight request with invalid origin is handled differently if the origin is verified with a custom function. It seems that the processing of the request continues with standard engine.io verification and results in Bad handshake method error (since only GET is allowed in the handshake).
To Reproduce
Socket.IO server version: 4.1.2
Origin defined with custom function
Server
function verifyOrigin(origin, callback) {
if (origin === 'http://origin.ok') {
callback(null, true);
} else {
callback(new Error('Access not allowed from the specified origin: ' + origin), false);
}
}
const options = {
cors: {
credentials: true,
methods: ['GET', 'POST'],
origin: verifyOrigin
}
};
const io = require('socket.io')(options);
io.on("connection", socket => {
console.log('Socket connected.')
});
io.listen(3000);
CORS preflight imitation
// valid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.ok" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 08:28:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
// invalid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.wrong" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 400 Bad Request
Content-Type: application/json
Date: Sat, 29 May 2021 08:28:42 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
{"code":2,"message":"Bad handshake method"}
Origin defined statically
Server
const options = {
cors: {
credentials: true,
methods: ['GET', 'POST'],
origin: 'http://origin.ok'
}
};
const io = require('socket.io')(options);
io.on("connection", socket => {
console.log('Socket connected.')
});
io.listen(3000);
CORS preflight imitation
// valid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.ok" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 09:13:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
// invalid origin
curl -i -X OPTIONS -H "Access-Control-Request-Method: GET" -H "Origin: http://origin.wrong" 'http://localhost:3000/socket.io/?EIO=4&transport=polling'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: http://origin.ok
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,POST
Content-Length: 0
Date: Sat, 29 May 2021 09:13:55 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expected behavior Correct response to the CORS preflight request in both cases.
Platform:
- Node: v14.17.0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Chapter 4. Handling preflight requests - CORS in Action
The concept of a preflight was introduced to allow cross-origin requests to be made without breaking existing servers that depend on the browser's...
Read more >CORS preflight request fails due to a standard header
After a lot of struggling, I finally found the problem. I configured a request mapping in Spring to handle OPTIONS traffic, like this:...
Read more >Cross-Origin Resource Sharing (CORS) - MDN Web Docs
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, ...
Read more >Configuring CORS - Apollo GraphQL Docs
You can enable credentials with CORS by setting the Access-Control-Allow-Credentials HTTP header to true . You must specify an origin to enable credentialed...
Read more >Resolve the "No 'Access-Control-Allow-Origin' header" ...
If CORS headers are not returned in the response, then the origin server is not correctly setup for CORS. Set up a CORS...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@andrejleitner well, it’s open source, 13 days are not that much 😄
Would you have time to open a pull request on the
corsrepository? Maybe it will be easier for the maintainer to acknowledge the issue if we already have a fix.Resolved in the discussion on
corsside.TLDR: Invalid origin should be rejected by calling
callback(null,[]), e.g.: