-
-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPTIONS
request handler missing Allow
header
#305
Comments
You are correct, but that is even if you are not using CORS. The Express.js server will add one for you, if you set up method for your path. This module is just for adding on CORS; your server should include Allow to OPTIONS requests without CORS at all too, which is all this module adds. |
Can you show me a minimal reproducible example of an Express server that provides a |
|
When I use the $ node -e 'require("express")().use(require("cors")()).get("/foo",(req,res)=>res.send("Hello")).listen(3000)' &
[3] 2226
$ curl -i -XOPTIONS http://localhost:3000/foo
HTTP/1.1 204 No Content
X-Powered-By: Express
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Content-Length: 0
Date: Wed, 20 Sep 2023 20:09:21 GMT
Connection: keep-alive
Keep-Alive: timeout=5 no |
Oh, interesting. So seems like there is some kind of bug in here that is suppression the Allow header or something 🤔 |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
That's all well and good, but I actually can't post issues on the expressjs/express issue board as that action is limited to contributors. Similarly: Ironically, I would like to contribute to expressjs/express#2414 but am unable to initiate discussion on that, as I am not yet a contributor 😛 Edit (26/09/2023): I hid this message previously because issues on |
Enabling cors for a single route, as cors npm doc shows doesn't mess the headers up. node -e 'require("express")().get("/foo", require("cors")(), (req,res) =>res.send("Hello")).listen(3000)' &
[1] 10062
curl -i -X OPTIONS localhost:3000/foo
HTTP/1.1 200 OK
X-Powered-By: Express
Allow: GET,HEAD
Content-Type: text/html; charset=utf-8
Content-Length: 8
ETag: W/"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg"
Date: Mon, 25 Sep 2023 22:19:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5
GET,HEAD% Enabling cors on a single route but with pre-flight enabled messes the headers too though. node -e 'require("express")().options("/foo", require("cors")()).get("/foo", require("cors")(), (req,res) => res.send("Hello")).listen(3000)' &
[1] 10632
curl -i localhost:3000/foo -X OPTIONS
HTTP/1.1 204 No Content
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Vary: Access-Control-Request-Headers
Content-Length: 0
Date: Mon, 25 Sep 2023 22:38:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Also checked changing the status code from the cors options and express response just in case, but that isn't the cause either. I know nothing about the express framework inner architecture but might be something the cors module is overwriting, given that cors has also request and response objects and similar functionality for some things like headers. |
This line leads to this block executing by default (with preflight Express' default
the |
Typo: preflight enabled makes cors call next and not end the res, preflight disabled (the default config) is what always ends the response, making it impossible to add nothing to It. Based in what you explained, in the 'Simple Usage' example that you showed (cors globally enabled), if we change the default preflightContinue (false) to true, the response gets passed to the next handler and doesn't end, getting the wanted behaviour.
If I recall correctly, allowed methods were showing in the single route cors example because after cors its called, the (req, res) handler gets called "on top", setting the allow header in the function sendOptionsResponse that you noted. Im not very sure how, but possibly the cors middleware doesn't execute the same way or even correctly, because if you check the single route test I did, it didn't had the common access control origin and access control methods headers that cors sets.
So maybe is a bigger issue than it looks because the single route example I did is from the common-usage in the npm page. |
As far as I understand, this issue entirely stems from the middleware's misclassification of all In fact, evidence (see the first comment of PR #40) suggests that the One way to fix things would be to correctly categorise |
Also had the issue that the This is the final code which works for me: const allowedOrigins: string[] | string = "*"
expressApp.use(
cors({
origin: allowedOrigins,
preflightContinue: true,
})
)
expressApp.options(
'*',
cors({
origin: allowedOrigins,
})
) Three important things I learned on this topic:
|
As per the MDN Docs, servers' responses to
OPTIONS
requests should include anAllow:
header that contains the allowed methods.The text was updated successfully, but these errors were encountered: