Comments (10)
I don't understand. Can you make some code examples?
from fastify-cors.
Ok. So let we have two origin functions which callback follows signature "err [object], allow [bool]", one of them "originAllow" will set allow
parameter to true
, and other "originDeny" will do the opposite and set it to false
:
function originAllow(origin, callback) {
callback(null, true); // allow set to true
}
function originDeny(origin, callback) {
callback(null, false); // allow set to false
}
Later we'll have two situations:
const fastify = require('fastify')()
fastify.register(require('fastify-cors'), { origin: originAllow}) // case 1
fastify.register(require('fastify-cors'), { origin: originDeny}) // case 2
fastify.get('/', (req, reply) => {
reply.send({ hello: 'world' })
})
fastify.listen(3000)
So in the first case it will work as expected and will add access-control-allow-origin
header with value that came in origin
header.
In the second case it will not add any cors headers and it will act just like code:
fastify.register(require('fastify-cors'), { origin: false})
which means cors is disabled and no headers will be added. So as a result both cross origin requests will pass without any restrictions.
Another example:
const fastify = require('fastify')()
fastify.register(require('fastify-cors'), { origin: (origin, callback) => {
if (origin === 'example.com') {
callback(null, true);
} else {
callback(null, false);
}
}})
fastify.get('/', (req, reply) => {
reply.send({ hello: 'world' })
})
fastify.listen(3000)
In this case also all requests will pass without any errors. The only way to restrict this is to throw an error that will result in 500 error code which is not correct.
from fastify-cors.
I find the function description accurate. Why is it confusing?
If you want to return a different status code, you'll have to use http://npm.im/http-errors or set a err.statusCode = code
property.
from fastify-cors.
@mcollina because of parameter named allow
: it doesn't matter will it be true
or false
it always allow requests.
Also invalid CORS usually fail request with "Network error" that browser generates, but not "HTTP error" which is generated by server.
So as a result origin function doesn't control origin
and decide to allow it or not. It controls cors plugin and says whether to enable it or disable for specified origin
.
from fastify-cors.
because of parameter named allow because it doesn't matter will it be true or false it always allow requests.
The documentation clearly states that setting it to false
disable cors (this is 100% modelled after https://www.npmjs.com/package/cors#configuration-options). It does not stop the requests.
Also invalid CORS usually fail request with "Network error" that browser generates, but not "HTTP error" which is generated by server.
I do not understand. What status code/header combination should be produced by the server to have the browser fail with "network error"?
from fastify-cors.
Ok, but even in original cors module there's a mistake in docs as well. See expressjs/cors#103 (comment).
from fastify-cors.
I still do not understand what is the mistake is in the docs. Can you send a PR?
from fastify-cors.
I'm trying to understand the following thing in the description:
Function - set origin to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature err [object], allow [bool]) as the second, async-await and promises are supported as well.
What does parameter allow
exactly does?
So I can't send proper PR until I understand it's purpose.
from fastify-cors.
The origin function enables you to provide the same value of the ‘origin’ config option for every request. The semantics is identical.
from fastify-cors.
Closing due to inactivity. Feel free to reopen if needed.
from fastify-cors.
Related Issues (20)
- Lack of support with Fastify 4.x HOT 4
- doesnt' work with Typescript HOT 1
- Origin returns undefined HOT 14
- Latency when using a large JWT token HOT 7
- UnhandledPromiseRejectionWarning: AvvioError: Plugin must be a function or a promise HOT 1
- Allow the special `*` value in `array` in `origin` option HOT 3
- Setting for `Cache-Control` to allow preflight requests to be cached in CDNs HOT 1
- Error(s) in doc. HOT 1
- cacheControl default value is missing HOT 1
- Access-Control-Allow-Origin is not working when streaming the data HOT 6
- AvvioError [Error]: Plugin did not start in time: '[object Promise]' HOT 2
- Support Private Network CORS HOT 8
- Options Request Returns 404 running in bun HOT 1
- Missing type declaration file for ‘@fastify/cors’ module HOT 2
- preflight 404 on prefixed index routes in nested/scopted cors setups
- Multiple @fastify/cors HOT 2
- Do not always define `Vary` header HOT 1
- `preHandler` called twice when rejecting CORS HOT 5
- Vary with dynamic config
- Credentials header is added regardless of origin HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastify-cors.