Should default options allow null origin?

Question

Should default options allow null origin?

CopyJosh opened this issue 2 years ago · 0 comments

When using the default options, as the docs describe, without defining an origin, the response will set Access-Control-Allow-Origin to the request Origin header.

Enable cors with default options:
  origin: request Origin header

But if hit with a request that sets Origin: null, then the response will be Access-Control-Allow-Origin: null.

There's a lot of sources that say don't do this...
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null

I'm not really an expert in this area, but would there be a better default behavior than..

// https://github.com/koajs/cors/blob/master/index.js#L66
origin = options.origin || requestOrigin;

... if the requestOrigin were null?