Allow CORS headers to be overridden, include test coverage and docs.

README.md

@@ -65,7 +65,7 @@ Oh, do you want some specific stuff? Checkout the available <a href="#options">o
 --port, --p                      change port
 --host, --h                      change the host name
 --secure, --s                    use https/wss
---cors, --c                      respond to requests with CORS headers
+--cors, --c                      respond to requests with CORS headers, use true or object to override defaults
 --quiet, --q                     no logging whatsoever
 --noBrowser, --nb                won't open the browser automagically
 --only, --o                      will only watch for changes in the given path/glob/regex/array
@@ -88,6 +88,11 @@ All the <a href="#options">options</a> being used on the `CLI` can be added to t
 {
   "port": 9999,
   "quiet": true,
+  "cors": {
+    "headers": "Content-Type, Custom-Header",
+    "methods": "GET, OPTIONS",
+    "credentials": false
+  },
   "pathIndex": "src/",
   "only": ["src/**/*"],
   "proxy": true,

lib/server.js

@@ -222,20 +222,26 @@ module.exports = class Server extends EventEmitter {
   }
 
   _initCors() {
-    if (this.opts.cors) {
-      this._app.use(this._cors);
+    if (!!this.opts.cors) {
+      this._app.use(this._cors());
     }
   }
 
-  _cors(req, res, next) {
-    res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*');
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
-    res.setHeader('Access-Control-Allow-Headers', 'Authorization,X-Requested-With,Content-Type');
-    res.setHeader('Access-Control-Allow-Credentials', true);
-    if (req.method === 'OPTIONS') {
-      return res.status(200).end();
+  _cors() {
+    const corsOptions = Object.assign({
+      methods: 'GET, POST, OPTIONS, PUT, PATCH, DELETE',
+      headers: 'Authorization,X-Requested-With,Content-Type',
+      credentials: true,
+    }, this.opts.cors || {});
+
+    return function(req, res, next) {
+      res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*');
+      res.setHeader('Access-Control-Allow-Methods', corsOptions.methods);
+      res.setHeader('Access-Control-Allow-Headers', corsOptions.headers);
+      res.setHeader('Access-Control-Allow-Credentials', corsOptions.credentials);
+
+      return req.method === 'OPTIONS' ? res.status(200).end() : next();
     }
-    return next();
   }
 
   _initProxy() {

test/server_test.js

@@ -561,9 +561,11 @@ describe('server', () => {
   });
 
   describe('options', function() {
-    it('should open the browser and use CORS', (done) => {
+    it('should open the browser and use CORS with custom access-control-allow-headers', (done) => {
       let _server = new Server({
-        cors: true,
+        cors: {
+          headers: 'test-header',
+        },
         quiet: true,
         pathIndex: 'test/'
       });
@@ -574,6 +576,8 @@ describe('server', () => {
 
       http.get(`http://${_server.opts.host}:${_server.opts.port}/`, function(res) {
         expect(res.headers['access-control-allow-origin']).to.not.be.undefined;
+        expect(res.headers['access-control-allow-headers']).to.equal('test-header');
+        expect(res.headers['access-control-allow-credentials']).to.equal('true');
         return done();
       })