-
-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(cors): avoid setting Access-Control-Allow-Origin
if there is no matching origin
#3510
fix(cors): avoid setting Access-Control-Allow-Origin
if there is no matching origin
#3510
Conversation
… matching origin
3c54a7c
to
5bf6c62
Compare
Access-Control-Allow-Origin
if there is no matching origin
@@ -34,6 +34,12 @@ describe('CORS by Middleware', () => { | |||
|
|||
app.use('/api5/*', cors()) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was originally added in #1129, but seems to have been lost at some point 👀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, one of them is not necessary. You can remove one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review! 🙏
I believe the addition of the following code in #1129 is to verify that duplicate headers are not set:
app.use(
'/api6/*',
cors({
origin: 'http://example.com',
})
)
app.use(
'/api6/*',
cors({
origin: 'http://example.com',
})
)
If I remove one of them, should I also remove the following test?
hono/src/middleware/cors/index.test.ts
Lines 171 to 175 in 3311664
it('Should not return duplicate header values', async () => { | |
const res = await app.request('http://localhost/api6/abc') | |
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com') | |
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it! Let's leave these lines. Thank you for the explanation!
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3510 +/- ##
==========================================
- Coverage 95.58% 95.57% -0.01%
==========================================
Files 155 155
Lines 9357 9361 +4
Branches 2749 2782 +33
==========================================
+ Hits 8944 8947 +3
- Misses 413 414 +1 ☔ View full report in Codecov by Sentry. |
Hi @uki00a Thanks! I've left one comment. Please check it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Looks good! I'll merge it and release the new version soon (maybe tomorrow). Thank you for your contribution! |
The author should do the following, if applicable
bun run format:fix && bun run lint:fix
to format the codeEven if the
Origin
header of a request does not match a origin specified byorigin
option, CORS middleware always setsAccess-Control-Allow-Origin
header. I don't see this as a serious problem, but in some cases it may unintentionally expose a server setting.References
cors
package seems not to set theAccess-Control-Allow-Origin
if theOrigin
header of a request does not match allowed originsAccess-Control-Allow-Origin
header is missingorigin
option as theAccess-Control-Allow-Origin
if the option does not match theOrigin
header of a request, so changes in this PR would have no particular negative impact