Make spec-compliant

Question

Make spec-compliant

dougwilson opened this issue 10 years ago · 8 comments

Please make this module spec-compliant :) An example where it is not that I noticed right away is that this module considers any request with an Origin request header to be a CORS request--this is actually not the indicator of what is or isn't a CORS request. You can find more within the spec.

The biggest failure right now is this module doesn't correctly handle pre flight requests, as it makes a mistakes in the processing of section 6.2 (http://www.w3.org/TR/cors/#resource-preflight-requests), step 3:

If there is no Access-Control-Request-Method header or if parsing failed, do not set any additional headers and terminate this set of steps. The request is outside the scope of this specification.

If I send an OPTIONS request with an Origin request header and no Access-Control-Request-Method request header, this module still adds CORS response headers.

You can find the spec here: http://www.w3.org/TR/cors/

Answer 1 · 2015-02-09T06:02:50.000Z

@dougwilson we may want to think about how to make a pillarjs module. i wouldn't use it as middleware as my CORS requests typically are very route specific.

Answer 2 · 2015-02-09T06:04:53.000Z

OK, I will read the spec deeply and send a pull request to make thing right.

Answer 3 · 2015-02-09T06:07:49.000Z

@jonathanong I had thought about it. There is a module https://www.npmjs.com/package/cors which is good and compliant that I use (though the source is hard to follow since it nests so deep, but eh). I actually believe I asked once if the author was interested in turning it over to expressjs, but it was declined and I left it at that :)

Answer 4 · 2015-02-09T06:10:17.000Z

@troygoode let us know if you ever get tired of fielding that module alone ;)

Answer 5 · 2015-02-09T06:13:50.000Z

@dougwilson actually I don't think you ever asked (or if you did, I somehow missed that message). I'll definitely think on it

Answer 6 · 2015-02-09T06:23:28.000Z

@troygoode it's hard for me to remember ;) I looked really hard and apparently I confused that with the corser module, haha (it's the corser module I had asked about prior). My offer for expressjs status is still there for you, though, so consider this my first offer to you, haha.

P.S. zero pressure, so feel free to continue as you always have :)!

Answer 7 · 2015-05-07T16:57:40.000Z

Hey @troygoode just wanted to ping in case you've changed your mind at all ;)

Answer 8 · 2015-05-28T08:35:26.000Z

hey @dougwilson - I'll shoot you an email. I'm interested in transferring it over to the expressjs group