Skip to content

Commit

Permalink
upon closer review of CORS spec, most headers are only valid for the …
Browse files Browse the repository at this point in the history 
…preflight response
  • Loading branch information
@troygoode
troygoode committed Mar 12, 2013
1 parent 9dd38f5 commit b093d7e
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 17 deletions.
12 changes: 4 additions & 8 deletions lib/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,11 @@ module.exports = function(param){
// append each response header if it is present
if(origin !== false){
res.header('Access-Control-Allow-Origin', origin); // required
}

// ONLY ADD THE FOLLOWING ON OPTION CALLS
if ('OPTIONS' === req.method) {
res.header('Access-Control-Allow-Methods', methods);
}
// if this HTTP request is an *OPTIONS* request, short-circuit (if we're allowed to do so) rather than going to next middleware
if(config.enablePreflight && 'OPTIONS' === req.method){
res.header('Access-Control-Allow-Methods', methods); // required
if(headers && headers.length){
res.header('Access-Control-Allow-Headers', headers);
}
Expand All @@ -85,10 +85,6 @@ module.exports = function(param){
if(maxAge && maxAge.length){
res.header('Access-Control-Allow-Max-Age', maxAge);
}
}

// if this HTTP request is an *OPTIONS* request, short-circuit (if we're allowed to do so) rather than going to next middleware
if(config.enablePreflight && 'OPTIONS' === req.method){
res.send(204);
}else{
next();
Expand Down
21 changes: 12 additions & 9 deletions test/cors.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,15 +292,16 @@ describe('cors', function(){
headers: ['header1', 'header2']
};
req = fakeRequest();
req.method = 'OPTIONS';
res = fakeResponse();
next = function(){
res.send = function(){
// assert
res.header('Access-Control-Allow-Headers').should.equal('header1,header2');
done();
};

// act
cors(options)(req, res, next);
cors(options)(req, res, null);
});

it('specifying an empty list or string of headers will result in no response header for headers', function(done){
Expand All @@ -327,15 +328,16 @@ describe('cors', function(){
options = {
};
req = fakeRequest();
req.method = 'OPTIONS';
res = fakeResponse();
next = function(){
res.send = function(){
// assert
res.header('Access-Control-Allow-Headers').should.equal('requestedHeader1,requestedHeader2');
done();
};

// act
cors(options)(req, res, next);
cors(options)(req, res, null);
});

it('includes credentials if explicitly enabled', function(done){
Expand All @@ -345,16 +347,16 @@ describe('cors', function(){
credentials: true
};
req = fakeRequest();
req.method = 'OPTIONS';
res = fakeResponse();
next = function(){
res.send = function(){
// assert
res.header('Access-Control-Allow-Credentials').should.equal('true');
//should.not.exist(res.header('Access-Control-Allow-Credentials'));
done();
};

// act
cors(options)(req, res, next);
cors(options)(req, res, null);
});

it('does not includes credentials unless explicitly enabled', function(done){
Expand All @@ -381,15 +383,16 @@ describe('cors', function(){
maxAge: 456
};
req = fakeRequest();
req.method = 'OPTIONS';
res = fakeResponse();
next = function(){
res.send = function(code){
// assert
res.header('Access-Control-Allow-Max-Age').should.equal('456');
done();
};

// act
cors(options)(req, res, next);
cors(options)(req, res, null);
});

it('does not includes maxAge unless specified', function(done){
Expand Down

0 comments on commit b093d7e

Please sign in to comment.