Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Socket.io allows connections with cors set

See original GitHub issue

Describe the bug Socket.io allows connections even though cors’s origin is not in the allowed ones.

To Reproduce

Please fill the following code example:

Socket.IO server version: 3.1.0

Server

const cors = require('cors');
const app = require('express')();

const corsOptions = {
  // Not working for both express and socket.io somehow?
  // origin: 'http://good.com'
  // This was will return error page for express route
  // but will allow socket connection
  origin: function (origin, callback) {
    if (['http://good.com'].indexOf(origin) !== -1) {
      callback(null, true)
    } else {
      callback(new Error('CORS validation error'))
    }
  }
}

// curl -H "Origin: http://evil.com" http://localhost:3000/test
// will return an error page
app.get('/test', cors(corsOptions), (_req, res) => {
  return res.status(200).send({ message: "ok" })
})

const server = require('http').createServer(app);
const io = require('socket.io')(server, {
  cors: corsOptions
});

io.on('connection', (socket) => {
  console.log('connected', socket.id);
})

server.listen(3000);

Socket.IO client version: 3.1.0

Client

const io = require("socket.io-client");
const socket = io("http://localhost:3000", {
  extraHeaders: {
    "Origin": "https://evil.com" // allowing connections with empty origin either
  },
});

Expected behavior CORS options should be respected for socket connections too

Platform:

Device: MacBook Pro (15-inch, 2019)
OS: MacOS 10.14.6

Additional context Perhaps, I’m missing something about how CORS should function, if so, I would be glad to be educated 😃 My concern is that I can’t manage to get CORS to block connections for express too, if I, for instance, return false in the callback function without an error, or put the simple string in the origin param. Maybe, I should be creating an issue in their repo.

Issue Analytics

State:
Created 3 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

2reactions

darrachequesnecommented, Feb 2, 2021

You are right, the cors module does not actually prevent the connection when the origin is not allowed.

I didn’t find any issue regarding this feature in their repo though: https://github.com/expressjs/cors/issues

Please note that you can use allowRequest for this use case:

const io = require('socket.io')(server, {
  allowRequest: (req, cb) => {
    const isAllowed = req.headers.origin === 'http://good.com';
    cb(null, isAllowed);
  }
});

0reactions

darrachequesnecommented, Apr 5, 2022

This was added in the documentation here: https://socket.io/docs/v4/handling-cors/

Please reopen if needed.

Top Results From Across the Web

Handling CORS

Since Socket.IO v3, you need to explicitly enable Cross-Origin Resource Sharing (CORS). ... All options will be forwarded to the cors package. The ......

Socket.io + Node.js Cross-Origin Request Blocked

I have a typo in the query parameter name in the client side, so the connection was always rejected, but the browser complained...

How To Solve CORS Issues with socket.io

Let's first give you an idea about CORS, Well when you're building an UI ,You need to connect to remote API to get...

How to fix socket.io cors error in React with Node

A web socket is a protocol that provides bidirectional and full-duplex communication channels. Traditionally, when we are on a web page, we communicate...

How to fix CORS error in Socket IO - Node JS, Express

I recently received a lot of messages that happened with the latest release of the socket.js library, people are facing CORS error with...