Make it possible to permit CORS requests for multiple origins
eladnava opened this issue · 3 comments
Hi,
Loving the package so far! Well done.
The following code can be used to specify a specific origin for CORS using kcors
:
var cors = require('kcors');
// Configure cross-origin requests from localhost:3000
var config = {origin: 'http://localhost:3000'};
app.use(cors(config));
It would be great if we could specify more than one origin via an array:
var config = {origin: ['http://localhost:3000', 'http://mydomain.com']};
app.use(cors(config));
It's possible to specify multiple hosts using separate Access-Control-Allow-Origin
headers, e.g:
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Origin: http://mydomain.com
Can I submit a PR to add support for this?
Thanks!
Nevermind, apparently sending multiple Access-Control-Allow-Origin
headers goes against the CORS spec.
The same functionality can be achieved by specifying a generator function as the origin
param for kcors
:
var cors = require('kcors');
// Configure Koa to use kcors module with origin verification
app.use(cors({origin: verifyOrigin}));
// Origin verification generator
function* verifyOrigin (ctx) {
// Get requesting origin hostname
var origin = ctx.headers.origin;
// List of valid origins
var validOrigins = ['http://localhost:3000', 'http://mydomain.com'];
// Make sure it's a valid origin
if (validOrigins.indexOf(origin) != -1) {
// Set the header to the requested origin
ctx.set('Access-Control-Allow-Origin', origin);
}
}
@eladnava thanks for pointing me into the right direction, although (at least with @next version) it didn't work out of the box. Having looked at the tests and combining it with your informatin, this is what worked for me:
const validOrigins = [
`http://localhost:${ requestingClientPort }`,
'https://somedomain.com' ];
const config = {
// ...
cors: {
// ...
origin: verifyOrigin }};
app.use( cors( config.cors ))
function verifyOrigin ( ctx ) {
const origin = ctx.headers.origin;
if ( !originIsValid( origin )) return false;
return origin;
}
function originIsValid ( origin ) {
return validOrigins.indexOf( origin ) != -1;
}
@andreasgrimm cool, thanks for sharing! 😄