expressjs/cors

CORS requests with credentials should forbid `*`

Open

#333 opened on Oct 19, 2024

View on GitHub
 (4 comments) (0 reactions) (0 assignees)JavaScript (476 forks)batch import
3.xbughelp wanted

Repository metrics

Stars
 (5,897 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

The standard forbids using * in the Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Allow-Methods, or Access-Control-Allow-Headers response header, if the Access-Control-Allow-Credentials request header is set to true.

https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

https://fetch.spec.whatwg.org/#http-new-header-syntax

Right now, this module allows it. In fact, it does it by default if the credentials option is set to true.

Instead, it could either:

  • Throw an error
  • Not set CORS response headers, i.e. rejecting the CORS request
  • Use the Origin request header, if specified. The Vary: Origin response header would need to be set too then.

Contributor guide