Skip to content

Commit

Permalink
fix(cors): avoid setting Access-Control-Allow-Origin if there is no…
Browse files Browse the repository at this point in the history
… matching origin (#3510)
  • Loading branch information
uki00a authored Oct 14, 2024
1 parent 3311664 commit cebf4e8
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 6 deletions.
37 changes: 33 additions & 4 deletions src/middleware/cors/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ describe('CORS by Middleware', () => {

app.use('/api5/*', cors())

app.use(
'/api6/*',
cors({
origin: 'http://example.com',
})
)
app.use(
'/api6/*',
cors({
Expand Down Expand Up @@ -83,7 +89,10 @@ describe('CORS by Middleware', () => {
})

it('Preflight with options', async () => {
const req = new Request('https://localhost/api2/abc', { method: 'OPTIONS' })
const req = new Request('https://localhost/api2/abc', {
method: 'OPTIONS',
headers: { origin: 'http://example.com' },
})
const res = await app.request(req)

expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
Expand All @@ -105,6 +114,15 @@ describe('CORS by Middleware', () => {
expect(res.headers.get('Access-Control-Allow-Credentials')).toBe('true')
})

it('Disallow an unmatched origin', async () => {
const req = new Request('https://localhost/api2/abc', {
method: 'OPTIONS',
headers: { origin: 'http://example.net' },
})
const res = await app.request(req)
expect(res.headers.has('Access-Control-Allow-Origin')).toBeFalsy()
})

it('Allow multiple origins', async () => {
let req = new Request('http://localhost/api3/abc', {
headers: {
Expand All @@ -116,21 +134,28 @@ describe('CORS by Middleware', () => {

req = new Request('http://localhost/api3/abc')
res = await app.request(req)
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
expect(
res.headers.has('Access-Control-Allow-Origin'),
'An unmatched origin should be disallowed'
).toBeFalsy()

req = new Request('http://localhost/api3/abc', {
headers: {
Referer: 'http://example.net/',
},
})
res = await app.request(req)
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
expect(
res.headers.has('Access-Control-Allow-Origin'),
'An unmatched origin should be disallowed'
).toBeFalsy()
})

it('Allow different Vary header value', async () => {
const res = await app.request('http://localhost/api3/abc', {
headers: {
Vary: 'accept-encoding',
Origin: 'http://example.com',
},
})

Expand Down Expand Up @@ -169,7 +194,11 @@ describe('CORS by Middleware', () => {
})

it('Should not return duplicate header values', async () => {
const res = await app.request('http://localhost/api6/abc')
const res = await app.request('http://localhost/api6/abc', {
headers: {
origin: 'http://example.com',
},
})

expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
})
Expand Down
8 changes: 6 additions & 2 deletions src/middleware/cors/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,15 @@ export const cors = (options?: CORSOptions): MiddlewareHandler => {

const findAllowOrigin = ((optsOrigin) => {
if (typeof optsOrigin === 'string') {
return () => optsOrigin
if (optsOrigin === '*') {
return () => optsOrigin
} else {
return (origin: string) => (optsOrigin === origin ? origin : null)
}
} else if (typeof optsOrigin === 'function') {
return optsOrigin
} else {
return (origin: string) => (optsOrigin.includes(origin) ? origin : optsOrigin[0])
return (origin: string) => (optsOrigin.includes(origin) ? origin : null)
}
})(opts.origin)

Expand Down

0 comments on commit cebf4e8

Please sign in to comment.