Socket.io allows connections with cors set
See original GitHub issueDescribe the bug
Socket.io allows connections even though cors’s origin
is not in the allowed ones.
To Reproduce
Please fill the following code example:
Socket.IO server version: 3.1.0
Server
const cors = require('cors');
const app = require('express')();
const corsOptions = {
// Not working for both express and socket.io somehow?
// origin: 'http://good.com'
// This was will return error page for express route
// but will allow socket connection
origin: function (origin, callback) {
if (['http://good.com'].indexOf(origin) !== -1) {
callback(null, true)
} else {
callback(new Error('CORS validation error'))
}
}
}
// curl -H "Origin: http://evil.com" http://localhost:3000/test
// will return an error page
app.get('/test', cors(corsOptions), (_req, res) => {
return res.status(200).send({ message: "ok" })
})
const server = require('http').createServer(app);
const io = require('socket.io')(server, {
cors: corsOptions
});
io.on('connection', (socket) => {
console.log('connected', socket.id);
})
server.listen(3000);
Socket.IO client version: 3.1.0
Client
const io = require("socket.io-client");
const socket = io("http://localhost:3000", {
extraHeaders: {
"Origin": "https://evil.com" // allowing connections with empty origin either
},
});
Expected behavior CORS options should be respected for socket connections too
Platform:
- Device: MacBook Pro (15-inch, 2019)
- OS: MacOS 10.14.6
Additional context
Perhaps, I’m missing something about how CORS should function, if so, I would be glad to be educated 😃
My concern is that I can’t manage to get CORS to block connections for express too, if I, for instance, return false in the callback
function without an error, or put the simple string in the origin param. Maybe, I should be creating an issue in their repo.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Handling CORS
Since Socket.IO v3, you need to explicitly enable Cross-Origin Resource Sharing (CORS). ... All options will be forwarded to the cors package. The ......
Read more >Socket.io + Node.js Cross-Origin Request Blocked
I have a typo in the query parameter name in the client side, so the connection was always rejected, but the browser complained...
Read more >How To Solve CORS Issues with socket.io
Let's first give you an idea about CORS, Well when you're building an UI ,You need to connect to remote API to get...
Read more >How to fix socket.io cors error in React with Node
A web socket is a protocol that provides bidirectional and full-duplex communication channels. Traditionally, when we are on a web page, we communicate...
Read more >How to fix CORS error in Socket IO - Node JS, Express
I recently received a lot of messages that happened with the latest release of the socket.js library, people are facing CORS error with...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
You are right, the
cors
module does not actually prevent the connection when the origin is not allowed.I didn’t find any issue regarding this feature in their repo though: https://github.com/expressjs/cors/issues
Please note that you can use
allowRequest
for this use case:This was added in the documentation here: https://socket.io/docs/v4/handling-cors/
Please reopen if needed.