Allow not returning any access control headers if the Origin is not allowed to access the resource
mjarosie opened this issue · 1 comments
mjarosie commented
Describe the feature
At the moment the library does not allow handling the scenario in which the origin is not allowed to access the resource: it expects options. origin
to always return a string. That leads to developers having to come up with a "workaround" configuration (for example here or here) which is not ideal:
- I'd rather not return any allowed domains to the caller if the caller is not allowed to call my API in the first place as it might undisclose details unnecessarily.
- Returning
false/undefined
fromorigin
function causes the middleware to be completely ignored which seems to be a feature of this library as there's a unit test that proves this behaviour. - Returning a
null
is not a good practice because of security issues as described in this issue.
If the request Origin
is not allowed, the middleware should be able to respond to pre-flight requests immediately with no Access-Control
headers being returned at all.
Checklist
- I have searched through GitHub issues for similar issues.
- I have completely read through the README and documentation.
pilotmoon commented
To set no Access-Control
headers at all in the response, return an empty string ""
from the options.origin
function.