Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin #3510

Merged
merged 1 commit into from
Oct 14, 2024
Merged

fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin #3510

merged 1 commit into from
Oct 14, 2024
+39 −6

Conversation

uki00a
Copy link
Contributor

@uki00a uki00a commented Oct 12, 2024
edited
Loading

The author should do the following, if applicable

  • Add tests
  • Run tests
  • bun run format:fix && bun run lint:fix to format the code
  • Add TSDoc/JSDoc to document the code

Even if the Origin header of a request does not match a origin specified by origin option, CORS middleware always sets Access-Control-Allow-Origin header. I don't see this as a serious problem, but in some cases it may unintentionally expose a server setting.

References

@uki00a uki00a marked this pull request as ready for review October 12, 2024 10:55
@uki00a uki00a marked this pull request as draft October 12, 2024 11:13
@uki00a uki00a force-pushed the avoid-expose-first-allowed-origin branch from 3c54a7c to 5bf6c62 Compare October 12, 2024 11:32
@uki00a uki00a changed the title fix(cors): avoid exposing the first allowed origin fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin Oct 12, 2024
uki00a
uki00a commented Oct 12, 2024
View reviewed changes
src/middleware/cors/index.test.ts
@@ -34,6 +34,12 @@ describe('CORS by Middleware', () => {

app.use('/api5/*', cors())

Copy link
Contributor Author

@uki00a uki00a Oct 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was originally added in #1129, but seems to have been lost at some point 👀

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, one of them is not necessary. You can remove one.

Copy link
Contributor Author

@uki00a uki00a Oct 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! 🙏

I believe the addition of the following code in #1129 is to verify that duplicate headers are not set:

  app.use(
    '/api6/*',
    cors({
      origin: 'http://example.com',
    })
  )
  app.use(
    '/api6/*',
    cors({
      origin: 'http://example.com',
    })
  )

If I remove one of them, should I also remove the following test?

hono/src/middleware/cors/index.test.ts

Lines 171 to 175 in 3311664

it('Should not return duplicate header values', async () => {
const res = await app.request('http://localhost/api6/abc')
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
})

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@uki00a

Got it! Let's leave these lines. Thank you for the explanation!

@uki00a uki00a marked this pull request as ready for review October 12, 2024 11:38
@codecov Codecov
Copy link

codecov bot commented Oct 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.57%. Comparing base (9986b47) to head (5bf6c62).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3510      +/-   ##
==========================================
- Coverage   95.58%   95.57%   -0.01%     
==========================================
  Files         155      155              
  Lines        9357     9361       +4     
  Branches     2749     2782      +33     
==========================================
+ Hits         8944     8947       +3     
- Misses        413      414       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@yusukebe
Copy link
Member

Hi @uki00a

Thanks! I've left one comment. Please check it!

yusukebe
yusukebe approved these changes Oct 14, 2024
View reviewed changes
Copy link
Member

@yusukebe yusukebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yusukebe
Copy link
Member

@uki00a

Looks good! I'll merge it and release the new version soon (maybe tomorrow). Thank you for your contribution!

@yusukebe yusukebe merged commit cebf4e8 into honojs:main Oct 14, 2024
16 checks passed
@uki00a uki00a deleted the avoid-expose-first-allowed-origin branch October 14, 2024 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yusukebe yusukebe yusukebe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@uki00a @yusukebe