From c8b6ec2479abb4a4181e966a0b6e0448ce9dbad1 Mon Sep 17 00:00:00 2001 From: Yuichi Okada Date: Tue, 21 May 2019 01:27:38 +0900 Subject: [PATCH 001/107] docs: update the table of contents in readme closes #173 --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 732b847..3bec1d1 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,9 @@ CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/co * [Simple Usage](#simple-usage-enable-all-cors-requests) * [Enable CORS for a Single Route](#enable-cors-for-a-single-route) * [Configuring CORS](#configuring-cors) - * [Configuring CORS Asynchronously](#configuring-cors-asynchronously) + * [Configuring CORS w/ Dynamic Origin](#configuring-cors-w-dynamic-origin) * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight) + * [Configuring CORS Asynchronously](#configuring-cors-asynchronously) * [Configuration Options](#configuration-options) * [Demo](#demo) * [License](#license) From 479b4e0388d90865143636400a79d3f92d77d64b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 2 Apr 2019 20:28:48 -0400 Subject: [PATCH 002/107] build: express@4.16.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ff37d98..517895f 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "devDependencies": { "after": "0.8.2", "eslint": "2.13.1", - "express": "4.16.3", + "express": "4.16.4", "mocha": "5.2.0", "nyc": "13.1.0", "supertest": "3.3.0" From 3775bcefc4d8f394a58dffc58ca0423871e9fbf1 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 2 Apr 2019 20:32:44 -0400 Subject: [PATCH 003/107] build: supertest@3.4.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 517895f..5b20200 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "express": "4.16.4", "mocha": "5.2.0", "nyc": "13.1.0", - "supertest": "3.3.0" + "supertest": "3.4.2" }, "files": [ "lib/index.js", From 83c8d34545f42264e619ede5aead8854fb3e1c57 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 2 Apr 2019 20:38:03 -0400 Subject: [PATCH 004/107] build: Node.js@6.17 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5ff123a..5431d2b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,7 +2,7 @@ language: node_js node_js: - "0.10" - "4.9" - - "6.14" + - "6.17" - "8.12" - "10.11" sudo: false From cae6ac6d14a150dbb19d8e511e676c3a93869d18 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 2 Apr 2019 20:42:11 -0400 Subject: [PATCH 005/107] build: Node.js@8.15 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5431d2b..87e33a7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ node_js: - "0.10" - "4.9" - "6.17" - - "8.12" + - "8.15" - "10.11" sudo: false cache: From 864d71c581c8721352941cb6a28841609fb69211 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 3 Apr 2019 01:27:06 -0400 Subject: [PATCH 006/107] build: Node.js@10.15 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 87e33a7..628d44d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.15" - - "10.11" + - "10.15" sudo: false cache: directories: From 48deee9d09c90d8d06089990172faa8b77b0506e Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 4 Apr 2019 15:30:17 -0400 Subject: [PATCH 007/107] build: speed up logic in Travis CI build steps --- .travis.yml | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/.travis.yml b/.travis.yml index 628d44d..c9b7c8a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,31 +10,44 @@ cache: directories: - node_modules before_install: + - | + # Setup utility functions + function node_version_lt () { + [[ "$(v "$TRAVIS_NODE_VERSION")" -lt "$(v "${1}")" ]] + } + function npm_module_installed () { + npm -lsp ls | grep -Fq "$(pwd)/node_modules/${1}:${1}@" + } + function npm_use_module () { + node -e ' + fs = require("fs"); + p = JSON.parse(fs.readFileSync("package.json", "utf8")); + p.devDependencies[process.argv[1]] = process.argv[2]; + fs.writeFileSync("package.json", JSON.stringify(p, null, 2) + "\n"); + ' "$@" + } + function v () { + tr '.' '\n' <<< "${1}" \ + | awk '{ printf "%03d", $0 }' \ + | sed 's/^0*//' + } # Configure npm - | # Skip updating shrinkwrap / lock npm config set shrinkwrap false # Setup Node.js version-specific dependencies - | - # mocha for testing - # - use 3.x for Node.js < 6 - if [[ "$(cut -d. -f1 <<< "$TRAVIS_NODE_VERSION")" -lt 6 ]]; then - npm install --save-dev mocha@3.5.3 + # Configure mocha for testing + if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' fi - | - # nyc for coverage - # - use 10.x for Node.js < 4 - # - use 11.x for Node.js < 6 - if [[ "$(cut -d. -f1 <<< "$TRAVIS_NODE_VERSION")" -lt 4 ]]; then - npm install --save-dev nyc@10.3.2 - elif [[ "$(cut -d. -f1 <<< "$TRAVIS_NODE_VERSION")" -lt 6 ]]; then - npm install --save-dev nyc@11.9.0 + # Configure nyc for testing + if node_version_lt '4.0'; then npm_use_module 'nyc' '10.3.2' + elif node_version_lt '6.0'; then npm_use_module 'nyc' '11.9.0' fi - | - # supertest for http calls - # - use 2.0.0 for Node.js < 4 - if [[ "$(cut -d. -f1 <<< "$TRAVIS_NODE_VERSION")" -lt 4 ]]; then - npm install --save-dev supertest@2.0.0 + # Configure supertest for http calls + if node_version_lt '4.0'; then npm_use_module 'supertest' '2.0.0' fi # Update Node.js modules - | @@ -43,10 +56,18 @@ before_install: npm prune npm rebuild fi +before_scrpt: + - | + # Contents of node_modules + npm -s ls ||: script: - | # Run test script npm test + - | + # Run linting, if eslint exists + if npm_module_installed 'eslint'; then npm run-script lint + fi after_script: - | # Upload coverage to coveralls if exists From 01bd95a37bb1eaed3d427e4d9a34f79886ed8340 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 6 Apr 2019 21:50:53 -0400 Subject: [PATCH 008/107] build: mocha@6.0.2 --- .travis.yml | 3 ++- package.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index c9b7c8a..1ebea3b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,7 +38,8 @@ before_install: # Setup Node.js version-specific dependencies - | # Configure mocha for testing - if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' + if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' + elif node_version_lt '6.0'; then npm_use_module 'mocha' '5.2.0' fi - | # Configure nyc for testing diff --git a/package.json b/package.json index 5b20200..1535129 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "2.13.1", "express": "4.16.4", - "mocha": "5.2.0", + "mocha": "6.0.2", "nyc": "13.1.0", "supertest": "3.4.2" }, From 9c2b59d8844925cc65d56c82f81b572815e77149 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 7 Apr 2019 01:40:30 -0400 Subject: [PATCH 009/107] build: eslint@3.19.0 --- .travis.yml | 17 ++++++++++++++++- package.json | 5 +++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 1ebea3b..b53b1c0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,6 +18,17 @@ before_install: function npm_module_installed () { npm -lsp ls | grep -Fq "$(pwd)/node_modules/${1}:${1}@" } + function npm_remove_module_re () { + node -e ' + fs = require("fs"); + p = JSON.parse(fs.readFileSync("package.json", "utf8")); + r = RegExp(process.argv[1]); + for (k in p.devDependencies) { + if (r.test(k)) delete p.devDependencies[k]; + } + fs.writeFileSync("package.json", JSON.stringify(p, null, 2) + "\n"); + ' "$@" + } function npm_use_module () { node -e ' fs = require("fs"); @@ -36,6 +47,10 @@ before_install: # Skip updating shrinkwrap / lock npm config set shrinkwrap false # Setup Node.js version-specific dependencies + - | + # Configure eslint for linting + if node_version_lt '4.0'; then npm_remove_module_re '^eslint(-|$)' + fi - | # Configure mocha for testing if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' @@ -64,7 +79,7 @@ before_scrpt: script: - | # Run test script - npm test + npm run test-ci - | # Run linting, if eslint exists if npm_module_installed 'eslint'; then npm run-script lint diff --git a/package.json b/package.json index 1535129..86ac2cb 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "2.13.1", + "eslint": "3.19.0", "express": "4.16.4", "mocha": "6.0.2", "nyc": "13.1.0", @@ -35,7 +35,8 @@ "node": ">= 0.10" }, "scripts": { - "test": "npm run lint && nyc --reporter=html --reporter=text mocha --require test/support/env", + "test": "npm run lint && npm run test-ci", + "test-ci": "nyc --reporter=html --reporter=text mocha --require test/support/env", "lint": "eslint lib test" } } From cfa2154a28eea4dbc6b096330d55d1efa8073f15 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 8 Apr 2019 19:47:27 -0400 Subject: [PATCH 010/107] build: supertest@4.0.2 --- .travis.yml | 3 ++- package.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index b53b1c0..8d69aee 100644 --- a/.travis.yml +++ b/.travis.yml @@ -63,7 +63,8 @@ before_install: fi - | # Configure supertest for http calls - if node_version_lt '4.0'; then npm_use_module 'supertest' '2.0.0' + if node_version_lt '4.0'; then npm_use_module 'supertest' '2.0.0' + elif node_version_lt '6.0'; then npm_use_module 'supertest' '3.4.2' fi # Update Node.js modules - | diff --git a/package.json b/package.json index 86ac2cb..15edc69 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "express": "4.16.4", "mocha": "6.0.2", "nyc": "13.1.0", - "supertest": "3.4.2" + "supertest": "4.0.2" }, "files": [ "lib/index.js", From 95f9c722b5a36d1bbb9150e40c76da1e21f278ab Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 12 Apr 2019 20:43:06 -0400 Subject: [PATCH 011/107] tests: use well-formatted origin in tests --- test/test.js | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/test/test.js b/test/test.js index c014476..9172659 100644 --- a/test/test.js +++ b/test/test.js @@ -10,7 +10,7 @@ return { method: method, headers: headers || { - 'origin': 'request.com', + 'origin': 'http://example.com', 'access-control-request-headers': 'requestedHeader1,requestedHeader2' } }; @@ -197,7 +197,7 @@ var cb = after(1, done) var req, res, next, options; options = { - origin: 'example.com', + origin: 'http://example.com', methods: ['FOO', 'bar'], headers: ['FIZZ', 'buzz'], credentials: true, @@ -208,7 +208,7 @@ res.end = function () { // assert assert.equal(res.statusCode, 204) - assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'example.com') + assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'FOO,bar') assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'FIZZ,buzz') assert.equal(res.getHeader('Access-Control-Allow-Credentials'), 'true') @@ -227,7 +227,7 @@ it('matches request origin against regexp', function(done) { var req = fakeRequest('GET'); var res = fakeResponse(); - var options = { origin: /^(.+\.)?request.com$/ }; + var options = { origin: /:\/\/(.+\.)?example.com$/ } cors(options)(req, res, function(err) { assert.ifError(err) assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin) @@ -239,7 +239,7 @@ it('matches request origin against array of origin checks', function(done) { var req = fakeRequest('GET'); var res = fakeResponse(); - var options = { origin: [ /foo\.com$/, 'request.com' ] }; + var options = { origin: [ /foo\.com$/, 'http://example.com' ] } cors(options)(req, res, function(err) { assert.ifError(err) assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin) @@ -290,13 +290,13 @@ // arrange var req, res, next, options; options = { - origin: 'example.com' + origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert - assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'example.com') + assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; @@ -308,7 +308,7 @@ // arrange var req, res, next, options; options = { - origin: 'example.com' + origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); @@ -326,7 +326,7 @@ // arrange var req, res, next, options; options = { - origin: 'example.com' + origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); @@ -366,7 +366,7 @@ res = fakeResponse(); next = function () { // assert - assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'request.com') + assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; @@ -378,14 +378,13 @@ var req, res, next, options; options = { origin: function (sentOrigin, cb) { - assert.equal(sentOrigin, 'request.com') cb(null, true); } }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { - assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'request.com') + assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; @@ -396,7 +395,6 @@ var req, res, next, options; options = { origin: function (sentOrigin, cb) { - assert.equal(sentOrigin, 'request.com') cb(null, false); } }; @@ -418,21 +416,20 @@ var req, res, next, options; options = { origin: function (sentOrigin, cb) { - var isValid = sentOrigin === 'request.com'; - cb(null, isValid); + cb(null, sentOrigin === 'http://example.com') } }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { - assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'request.com') + assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') }; cors(options)(req, res, next); req = fakeRequest('GET', { - 'origin': 'invalid-request.com' + 'origin': 'http://localhost' }); res = fakeResponse(); From 89350c952874619b095d8dc46eabd3ba9a836d81 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 12 Apr 2019 21:03:53 -0400 Subject: [PATCH 012/107] tests: add finish event to fake response --- test/test.js | 420 +++++++++++++++++++++++---------------------------- 1 file changed, 191 insertions(+), 229 deletions(-) diff --git a/test/test.js b/test/test.js index 9172659..f2a2e94 100644 --- a/test/test.js +++ b/test/test.js @@ -1,5 +1,9 @@ -(function () { +'use strict' +var EventEmitter = require('events').EventEmitter +var util = require('util') + +;(function () { 'use strict'; var after = require('after') @@ -7,29 +11,12 @@ var cors = require('..') var fakeRequest = function (method, headers) { - return { - method: method, - headers: headers || { - 'origin': 'http://example.com', - 'access-control-request-headers': 'requestedHeader1,requestedHeader2' - } - }; - }, - fakeResponse = function () { - var headers = {}; - return { - getHeader: function (key) { - return headers[key]; - }, - setHeader: function (key, value) { - headers[key] = value; - return; - }, - get: function (key) { - return headers[key]; - } - }; - }; + return new FakeRequest(method, headers) + } + + var fakeResponse = function () { + return new FakeResponse() + } describe('cors', function () { it('does not alter `options` configuration object', function () { @@ -55,102 +42,79 @@ }); it('shortcircuits preflight requests', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.statusCode, 204) cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors()(req, res, next); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('can configure preflight success response status code', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.statusCode, 200) cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) // act - cors({optionsSuccessStatus: 200})(req, res, next); + cors({ optionsSuccessStatus: 200 })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('doesn\'t shortcircuit preflight requests with preflightContinue option', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { cb(new Error('should not be called')) - }; - next = function () { - // assert - cb() - }; + }) - // act - cors({preflightContinue: true})(req, res, next); + cors({ preflightContinue: true })(req, res, function (err) { + if (err) return cb(err) + setTimeout(cb, 10) + }) }); it('normalizes method names', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('options'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('options') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.statusCode, 204) cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors()(req, res, next); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('includes Content-Length response header', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Content-Length'), '0') cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors()(req, res, next); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('no options enables default CORS to all origins', function (done) { @@ -170,43 +134,36 @@ }); it('OPTION call with no options enables default CORS to all origins and methods', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Origin'), '*') assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,HEAD,PUT,PATCH,POST,DELETE') cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors()(req, res, next); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); describe('passing static options', function () { it('overrides defaults', function (done) { - // arrange var cb = after(1, done) - var req, res, next, options; - options = { + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + var options = { origin: 'http://example.com', methods: ['FOO', 'bar'], headers: ['FIZZ', 'buzz'], credentials: true, maxAge: 123 }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + + res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'FOO,bar') @@ -214,14 +171,11 @@ assert.equal(res.getHeader('Access-Control-Allow-Credentials'), 'true') assert.equal(res.getHeader('Access-Control-Max-Age'), '123') cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors(options)(req, res, next); + cors(options)(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('matches request origin against regexp', function(done) { @@ -447,86 +401,70 @@ it('can override methods', function (done) { - // arrange var cb = after(1, done) - var req, res, next, options; - options = { + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + var options = { methods: ['method1', 'method2'] }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + + res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'method1,method2') cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors(options)(req, res, next); + cors(options)(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('methods defaults to GET, HEAD, PUT, PATCH, POST, DELETE', function (done) { - // arrange var cb = after(1, done) - var req, res, next; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,HEAD,PUT,PATCH,POST,DELETE') cb() - }; - next = function () { - // assert - cb(new Error('should not be called')) - }; + }) - // act - cors()(req, res, next); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('can specify allowed headers as array', function (done) { - // arrange - var req, res, options; - options = { - allowedHeaders: ['header1', 'header2'] - }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') assert.equal(res.getHeader('Vary'), undefined) - done(); - }; + cb() + }) - // act - cors(options)(req, res, null); + cors({ allowedHeaders: ['header1', 'header2'] })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('can specify allowed headers as string', function (done) { - // arrange - var req, res, options; - options = { - allowedHeaders: 'header1,header2' - }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') assert.equal(res.getHeader('Vary'), undefined) - done(); - }; + cb() + }) - // act - cors(options)(req, res, null); + cors({ allowedHeaders: 'header1,header2' })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('specifying an empty list or string of allowed headers will result in no response header for allowed headers', function (done) { @@ -549,19 +487,19 @@ }); it('if no allowed headers are specified, defaults to requested allowed headers', function (done) { - // arrange - var req, res; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert - assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'requestedHeader1,requestedHeader2') + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { + assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'x-header-1, x-header-2') assert.equal(res.getHeader('Vary'), 'Access-Control-Request-Headers') - done(); - }; + cb() + }) - // act - cors()(req, res, null); + cors()(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('can specify exposed headers as array', function (done) { @@ -619,21 +557,18 @@ }); it('includes credentials if explicitly enabled', function (done) { - // arrange - var req, res, options; - options = { - credentials: true - }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Credentials'), 'true') - done(); - }; + cb() + }) - // act - cors(options)(req, res, null); + cors({ credentials: true })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('does not includes credentials unless explicitly enabled', function (done) { @@ -652,39 +587,33 @@ }); it('includes maxAge when specified', function (done) { - // arrange - var req, res, options; - options = { - maxAge: 456 - }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Max-Age'), '456') - done(); - }; + cb() + }) - // act - cors(options)(req, res, null); + cors({ maxAge: 456 })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('includes maxAge when specified and equals to zero', function (done) { - // arrange - var req, res, options - options = { - maxAge: 0 - } - req = fakeRequest('OPTIONS') - res = fakeResponse() - res.end = function () { - // assert + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Max-Age'), '0') - done() - } + cb() + }) - // act - cors(options)(req, res, null) + cors({ maxAge: 0 })(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('does not includes maxAge unless specified', function (done) { @@ -725,25 +654,25 @@ }); it('handles options specified via callback for preflight', function (done) { - // arrange - var req, res, delegate; - delegate = function (req2, cb) { + var cb = after(1, done) + var req = new FakeRequest('OPTIONS') + var res = new FakeResponse() + var delegate = function (req2, cb) { cb(null, { origin: 'delegate.com', maxAge: 1000 }); }; - req = fakeRequest('OPTIONS'); - res = fakeResponse(); - res.end = function () { - // assert + + res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'delegate.com') assert.equal(res.getHeader('Access-Control-Max-Age'), '1000') - done(); - }; + cb() + }) - // act - cors(delegate)(req, res, null); + cors(delegate)(req, res, function (err) { + cb(err || new Error('should not be called')) + }) }); it('handles error specified via callback', function (done) { @@ -767,3 +696,36 @@ }); }()); + +function FakeRequest (method, headers) { + this.headers = headers || { + 'origin': 'http://example.com', + 'access-control-request-headers': 'x-header-1, x-header-2' + } + this.method = method || 'GET' +} + +function FakeResponse () { + this._headers = {} + this.statusCode = 200 +} + +util.inherits(FakeResponse, EventEmitter) + +FakeResponse.prototype.end = function end () { + var response = this + + process.nextTick(function () { + response.emit('finish') + }) +} + +FakeResponse.prototype.getHeader = function getHeader (name) { + var key = name.toLowerCase() + return this._headers[key] +} + +FakeResponse.prototype.setHeader = function setHeader (name, value) { + var key = name.toLowerCase() + this._headers[key] = value +} From b84ed5a6973920dfa2839207162d506c51ba6f08 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 14 May 2019 16:40:57 -0400 Subject: [PATCH 013/107] build: Node.js@8.16 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8d69aee..9e545d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ node_js: - "0.10" - "4.9" - "6.17" - - "8.15" + - "8.16" - "10.15" sudo: false cache: From 8ccf4c3c75f051cb08cf5d3182a4a7b849403a53 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 14 May 2019 16:45:43 -0400 Subject: [PATCH 014/107] build: nyc@13.3.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 15edc69..e466d5f 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint": "3.19.0", "express": "4.16.4", "mocha": "6.0.2", - "nyc": "13.1.0", + "nyc": "13.3.0", "supertest": "4.0.2" }, "files": [ From 369bdd4f612ab89ae291482be09ca6c45180a1eb Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 14 May 2019 16:48:58 -0400 Subject: [PATCH 015/107] build: mocha@6.1.4 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e466d5f..6a755ac 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "3.19.0", "express": "4.16.4", - "mocha": "6.0.2", + "mocha": "6.1.4", "nyc": "13.3.0", "supertest": "4.0.2" }, From 59a520df9aca052093e32dce36699663220c7f82 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 15 May 2019 00:21:42 -0400 Subject: [PATCH 016/107] build: eslint@4.19.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6a755ac..55819f1 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "3.19.0", + "eslint": "4.19.1", "express": "4.16.4", "mocha": "6.1.4", "nyc": "13.3.0", From 20d42bc1b7f1e9f7976e341414fc9b02dffe007f Mon Sep 17 00:00:00 2001 From: Troy Goode Date: Mon, 27 May 2019 23:26:50 -0700 Subject: [PATCH 017/107] docs: update demo to point at new Netlify site --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3bec1d1..175b078 100644 --- a/README.md +++ b/README.md @@ -219,12 +219,12 @@ For details on the effect of each CORS header, read [this](http://www.html5rocks ## Demo -A demo that illustrates CORS working (and not working) using jQuery is available here: [http://node-cors-client.herokuapp.com/](http://node-cors-client.herokuapp.com/) +A demo that illustrates CORS working (and not working) using React is available here: [https://node-cors-client.netlify.com](https://node-cors-client.netlify.com) Code for that demo can be found here: -* Client: [https://github.com/TroyGoode/node-cors-client](https://github.com/TroyGoode/node-cors-client) -* Server: [https://github.com/TroyGoode/node-cors-server](https://github.com/TroyGoode/node-cors-server) +* Client: [https://github.com/troygoode/node-cors-client](https://github.com/troygoode/node-cors-client) +* Server: [https://github.com/troygoode/node-cors-server](https://github.com/troygoode/node-cors-server) ## License From 192e4ca38ddf64da0348295ab1445c666c674ed2 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 28 May 2019 22:41:44 -0400 Subject: [PATCH 018/107] build: express@4.17.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 55819f1..bccc86b 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "devDependencies": { "after": "0.8.2", "eslint": "4.19.1", - "express": "4.16.4", + "express": "4.17.1", "mocha": "6.1.4", "nyc": "13.3.0", "supertest": "4.0.2" From 66f22ded47c4b133c6a35e63f22821fd47ad044b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 28 May 2019 22:48:16 -0400 Subject: [PATCH 019/107] build: nyc@14.1.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bccc86b..2612b0e 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint": "4.19.1", "express": "4.17.1", "mocha": "6.1.4", - "nyc": "13.3.0", + "nyc": "14.1.1", "supertest": "4.0.2" }, "files": [ From c3c262bae2fa9ef0b1fbdad2f6cb922f78cfaa40 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 29 May 2019 15:30:17 -0400 Subject: [PATCH 020/107] build: Node.js@10.16 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9e545d7..2f41a62 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.16" - - "10.15" + - "10.16" sudo: false cache: directories: From 244c547da3a46b2fcbf7ad0986b45600f09f82b3 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 22 Jun 2019 20:51:25 -0400 Subject: [PATCH 021/107] build: eslint@5.16.0 --- .travis.yml | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2f41a62..083eadd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -49,7 +49,7 @@ before_install: # Setup Node.js version-specific dependencies - | # Configure eslint for linting - if node_version_lt '4.0'; then npm_remove_module_re '^eslint(-|$)' + if node_version_lt '6.0'; then npm_remove_module_re '^eslint(-|$)' fi - | # Configure mocha for testing diff --git a/package.json b/package.json index 2612b0e..fb63688 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "4.19.1", + "eslint": "5.16.0", "express": "4.17.1", "mocha": "6.1.4", "nyc": "14.1.1", From 7aa0bb869332ee1be30054a0a874739268de068c Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 7 Aug 2019 23:10:16 -0400 Subject: [PATCH 022/107] build: mocha@6.2.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fb63688..22fc76e 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "5.16.0", "express": "4.17.1", - "mocha": "6.1.4", + "mocha": "6.2.0", "nyc": "14.1.1", "supertest": "4.0.2" }, From 8e5dd1a2dba50d01d8e06f9f313c15e5594f1fe2 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sat, 16 Nov 2019 01:20:44 -0500 Subject: [PATCH 023/107] build: Node.js@10.17 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 083eadd..2bf1a1a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.16" - - "10.16" + - "10.17" sudo: false cache: directories: From acd78e318af5174afbd160529ee021e586edb9cd Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 26 Dec 2019 21:07:19 -0500 Subject: [PATCH 024/107] build: eslint@6.8.0 --- .travis.yml | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2bf1a1a..a706f66 100644 --- a/.travis.yml +++ b/.travis.yml @@ -49,7 +49,7 @@ before_install: # Setup Node.js version-specific dependencies - | # Configure eslint for linting - if node_version_lt '6.0'; then npm_remove_module_re '^eslint(-|$)' + if node_version_lt '8.0'; then npm_remove_module_re '^eslint(-|$)' fi - | # Configure mocha for testing diff --git a/package.json b/package.json index 22fc76e..8d28524 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "5.16.0", + "eslint": "6.8.0", "express": "4.17.1", "mocha": "6.2.0", "nyc": "14.1.1", From 1384b9f0acf2680a1799c2acc285a894799f8ce7 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 26 Dec 2019 21:12:15 -0500 Subject: [PATCH 025/107] build: mocha@6.2.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 8d28524..eb0a6c5 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "6.8.0", "express": "4.17.1", - "mocha": "6.2.0", + "mocha": "6.2.2", "nyc": "14.1.1", "supertest": "4.0.2" }, From 467e71ad762c067c13bc4bb3f47b35575dcf2f2b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 3 Jan 2020 20:03:12 -0500 Subject: [PATCH 026/107] build: nyc@15.0.0 --- .travis.yml | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a706f66..a48e823 100644 --- a/.travis.yml +++ b/.travis.yml @@ -60,6 +60,7 @@ before_install: # Configure nyc for testing if node_version_lt '4.0'; then npm_use_module 'nyc' '10.3.2' elif node_version_lt '6.0'; then npm_use_module 'nyc' '11.9.0' + elif node_version_lt '8.0'; then npm_use_module 'nyc' '14.1.1' fi - | # Configure supertest for http calls diff --git a/package.json b/package.json index eb0a6c5..9d44f1e 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint": "6.8.0", "express": "4.17.1", "mocha": "6.2.2", - "nyc": "14.1.1", + "nyc": "15.0.0", "supertest": "4.0.2" }, "files": [ From 6ed272d822d2050e765672a493f5cd2de2c71c76 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 3 Jan 2020 20:09:56 -0500 Subject: [PATCH 027/107] build: Node.js@8.17 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a48e823..a1e0927 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ node_js: - "0.10" - "4.9" - "6.17" - - "8.16" + - "8.17" - "10.17" sudo: false cache: From 7386dfdc35ec5d7a0c3bbbbe5d488e1c140321b8 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 3 Jan 2020 20:13:20 -0500 Subject: [PATCH 028/107] build: Node.js@10.18 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a1e0927..2e444be 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.17" - - "10.17" + - "10.18" sudo: false cache: directories: From d50681825b08651165bc9765284f6f9488d6dbe4 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 9 Mar 2020 22:04:59 -0400 Subject: [PATCH 029/107] build: mocha@7.1.0 --- .travis.yml | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 2e444be..bf1e021 100644 --- a/.travis.yml +++ b/.travis.yml @@ -55,6 +55,7 @@ before_install: # Configure mocha for testing if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' elif node_version_lt '6.0'; then npm_use_module 'mocha' '5.2.0' + elif node_version_lt '8.0'; then npm_use_module 'mocha' '6.2.2' fi - | # Configure nyc for testing diff --git a/package.json b/package.json index 9d44f1e..4b2d22d 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "6.8.0", "express": "4.17.1", - "mocha": "6.2.2", + "mocha": "7.1.0", "nyc": "15.0.0", "supertest": "4.0.2" }, From 1b13e0b14bc5bd12f7fef2a4399bfb0e8fcbd9df Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 16 Mar 2020 21:59:14 -0400 Subject: [PATCH 030/107] build: remove deprecated Travis CI directive --- .travis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bf1e021..924fdaf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,6 @@ node_js: - "6.17" - "8.17" - "10.18" -sudo: false cache: directories: - node_modules From 1ef7f91c2772d60e3d95c9057493c0cef38db184 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 16 Mar 2020 22:05:41 -0400 Subject: [PATCH 031/107] build: fix typo in Travis CI directive --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 924fdaf..8137697 100644 --- a/.travis.yml +++ b/.travis.yml @@ -74,7 +74,7 @@ before_install: npm prune npm rebuild fi -before_scrpt: +before_script: - | # Contents of node_modules npm -s ls ||: From 14dab65eaa5b06e764e953cffd2f36ab0bd6a0df Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 16 Mar 2020 22:09:10 -0400 Subject: [PATCH 032/107] build: Node.js@10.19 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8137697..26d1142 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.17" - - "10.18" + - "10.19" cache: directories: - node_modules From 8ee014607561f5282bb26d52216c31fdb0128c52 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 2 Apr 2020 18:53:56 -0400 Subject: [PATCH 033/107] build: mocha@7.1.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4b2d22d..4541c49 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "6.8.0", "express": "4.17.1", - "mocha": "7.1.0", + "mocha": "7.1.1", "nyc": "15.0.0", "supertest": "4.0.2" }, From a8d7458dd98ba9e8f84607a4c7a68836e54d1e56 Mon Sep 17 00:00:00 2001 From: sandip mondal Date: Mon, 20 Apr 2020 17:41:29 +0530 Subject: [PATCH 034/107] build: support Node.js 12.x --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 26d1142..a7da50b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,6 +5,7 @@ node_js: - "6.17" - "8.17" - "10.19" + - "12.16" cache: directories: - node_modules From f91ec1d12ef301d98fdf623a9574af72864f0e23 Mon Sep 17 00:00:00 2001 From: dstudzinski Date: Wed, 4 Sep 2019 21:40:06 +0200 Subject: [PATCH 035/107] docs: fix the origin function callback type list closes #180 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 175b078..87b43a3 100644 --- a/README.md +++ b/README.md @@ -195,7 +195,7 @@ app.listen(80, function () { - `String` - set `origin` to a specific origin. For example if you set it to `"http://example.com"` only requests from "http://example.com" will be allowed. - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\.com$/` will reflect any request that is coming from an origin ending with "example.com". - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `["http://example1.com", /\.example2\.com$/]` will accept any request from "http://example1.com" or from a subdomain of "example2.com". - - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature `err [object], allow [bool]`) as the second. + - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (called as `callback(err, origin)`, where `origin` is a non-function value of the `origin` option) as the second. * `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: `['GET', 'PUT', 'POST']`). * `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: `['Content-Type', 'Authorization']`). If not specified, defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header. * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed. From ab68bb1039cc94a77af315433566bf9aa17548f3 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 22 Apr 2020 21:19:34 -0400 Subject: [PATCH 036/107] build: nyc@15.0.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4541c49..368a8df 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint": "6.8.0", "express": "4.17.1", "mocha": "7.1.1", - "nyc": "15.0.0", + "nyc": "15.0.1", "supertest": "4.0.2" }, "files": [ From c2c78dd8011e691f42e8fcde7de4f5b93759321c Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 22 Apr 2020 21:20:03 -0400 Subject: [PATCH 037/107] build: Node.js@10.20 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a7da50b..c8484cf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.17" - - "10.19" + - "10.20" - "12.16" cache: directories: From 943ad3ca70902bd2ed316c47165b62dc624df8a3 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 22 Apr 2020 21:20:21 -0400 Subject: [PATCH 038/107] build: support Node.js 14.x --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c8484cf..423fdea 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,7 @@ node_js: - "8.17" - "10.20" - "12.16" + - "14.0" cache: directories: - node_modules From b945a30fa9efa89a2bf34280d54e9d8bcac5555a Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 6 May 2020 20:03:24 -0400 Subject: [PATCH 039/107] build: mocha@7.1.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 368a8df..e01e0a1 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "6.8.0", "express": "4.17.1", - "mocha": "7.1.1", + "mocha": "7.1.2", "nyc": "15.0.1", "supertest": "4.0.2" }, From e03e9ee89de73627c0dec1707d7e74f119b3da30 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 6 May 2020 20:08:22 -0400 Subject: [PATCH 040/107] build: Node.js@14.2 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 423fdea..5a24798 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ node_js: - "8.17" - "10.20" - "12.16" - - "14.0" + - "14.2" cache: directories: - node_modules From eb41c8f05352ff1b03c0ccf6b6ef925951c8d7b7 Mon Sep 17 00:00:00 2001 From: Anshuman Chhapolia Date: Sun, 10 May 2020 11:30:37 +0530 Subject: [PATCH 041/107] docs: add note about application-level usage in pre-flight closes #195 closes #196 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 87b43a3..c27612d 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,10 @@ You can also enable pre-flight across-the-board like so: app.options('*', cors()) // include before other routes ``` +NOTE: When using this middleware as an application level middleware (for +example, `app.use(cors())`), pre-flight requests are already handled for all +routes. + ### Configuring CORS Asynchronously ```javascript From c1867c3a79c08e16b705e4a65e426f7d7459d0b1 Mon Sep 17 00:00:00 2001 From: Ollie Buck Date: Wed, 5 Jun 2019 14:04:56 +0100 Subject: [PATCH 042/107] docs: fix documentation around the proper dynamic origin use-case closes #175 --- README.md | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index c27612d..d1bcadb 100644 --- a/README.md +++ b/README.md @@ -91,19 +91,31 @@ app.listen(80, function () { ### Configuring CORS w/ Dynamic Origin +This module supports validating the origin dynamically using a function provided +to the `origin` option. This function will be passed a string that is the origin +(or `undefined` if the request has no origin), and a `callback` with the signature +`callback(error, origin)`. + +The `origin` argument to the callback can be any value allowed for the `origin` +option of the middleware, except a function. See the +[confugration options](#configuration-options) section for more information on all +the possible value types. + +This function is designed to allow the dynamic loading of allowed origin(s) from +a backing datasource, like a database. + ```javascript var express = require('express') var cors = require('cors') var app = express() -var whitelist = ['http://example1.com', 'http://example2.com'] var corsOptions = { origin: function (origin, callback) { - if (whitelist.indexOf(origin) !== -1) { - callback(null, true) - } else { - callback(new Error('Not allowed by CORS')) - } + // db.loadOrigins is an example call to load + // a list of origins from a backing database + db.loadOrigins(function (error, origins) { + callback(error, origins) + }) } } @@ -116,21 +128,6 @@ app.listen(80, function () { }) ``` -If you do not want to block REST tools or server-to-server requests, -add a `!origin` check in the origin function like so: - -```javascript -var corsOptions = { - origin: function (origin, callback) { - if (whitelist.indexOf(origin) !== -1 || !origin) { - callback(null, true) - } else { - callback(new Error('Not allowed by CORS')) - } - } -} -``` - ### Enabling CORS Pre-Flight Certain CORS requests are considered 'complex' and require an initial From 883c1f9bc691e093d55e131f356e4eda8c2a3564 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 7 Jun 2020 19:22:07 -0400 Subject: [PATCH 043/107] build: Node.js@10.21 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5a24798..ba5a467 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.17" - - "10.20" + - "10.21" - "12.16" - "14.2" cache: From f6e95147124689ab63f5e9cbf03ab989c8bb6673 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 8 Jun 2020 00:32:04 -0400 Subject: [PATCH 044/107] build: Node.js@12.18 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ba5a467..f2b1226 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ node_js: - "6.17" - "8.17" - "10.21" - - "12.16" + - "12.18" - "14.2" cache: directories: From 33ef0ecfebf4864ffbd2157b85e7106e10c9b6e8 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 8 Jun 2020 00:36:37 -0400 Subject: [PATCH 045/107] build: Node.js@14.4 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f2b1226..54fa816 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ node_js: - "8.17" - "10.21" - "12.18" - - "14.2" + - "14.4" cache: directories: - node_modules From d7ef6c491d7c75ed1874a5e88aacd4059c710fe6 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 8 Jun 2020 00:39:30 -0400 Subject: [PATCH 046/107] build: mocha@7.2.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e01e0a1..d02a060 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "6.8.0", "express": "4.17.1", - "mocha": "7.1.2", + "mocha": "7.2.0", "nyc": "15.0.1", "supertest": "4.0.2" }, From d02727adb062d68746b6cc61b03956d8447dce99 Mon Sep 17 00:00:00 2001 From: Janith Date: Sun, 28 Jun 2020 10:03:02 +0530 Subject: [PATCH 047/107] docs: use allowlist in examples closes #199 closes #200 --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d1bcadb..aa7a320 100644 --- a/README.md +++ b/README.md @@ -120,7 +120,7 @@ var corsOptions = { } app.get('/products/:id', cors(corsOptions), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for a whitelisted domain.'}) + res.json({msg: 'This is CORS-enabled for an allowed domain.'}) }) app.listen(80, function () { @@ -169,10 +169,10 @@ var express = require('express') var cors = require('cors') var app = express() -var whitelist = ['http://example1.com', 'http://example2.com'] +var allowlist = ['http://example1.com', 'http://example2.com'] var corsOptionsDelegate = function (req, callback) { var corsOptions; - if (whitelist.indexOf(req.header('Origin')) !== -1) { + if (allowlist.indexOf(req.header('Origin')) !== -1) { corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response } else { corsOptions = { origin: false } // disable CORS for this request @@ -181,7 +181,7 @@ var corsOptionsDelegate = function (req, callback) { } app.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for a whitelisted domain.'}) + res.json({msg: 'This is CORS-enabled for an allowed domain.'}) }) app.listen(80, function () { From ed34fb6ab0760e7016b52be94ef722105158b364 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 29 Jul 2020 22:41:29 -0400 Subject: [PATCH 048/107] build: Node.js@10.22 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 54fa816..9499834 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ node_js: - "4.9" - "6.17" - "8.17" - - "10.21" + - "10.22" - "12.18" - "14.4" cache: From ab908c78a2fea6d70b43bc33b528fab71b5f105b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 29 Jul 2020 22:44:53 -0400 Subject: [PATCH 049/107] build: Node.js@14.5 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9499834..ff02fce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ node_js: - "8.17" - "10.22" - "12.18" - - "14.4" + - "14.5" cache: directories: - node_modules From afe4d4d749f80ed425c06f2050387ec9c6a8104d Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 29 Jul 2020 22:48:11 -0400 Subject: [PATCH 050/107] build: nyc@15.1.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d02a060..09426fc 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,7 @@ "eslint": "6.8.0", "express": "4.17.1", "mocha": "7.2.0", - "nyc": "15.0.1", + "nyc": "15.1.0", "supertest": "4.0.2" }, "files": [ From 51add64df97ffe75493a76dffc7fbb5b1951115f Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 30 Jul 2020 00:18:09 -0400 Subject: [PATCH 051/107] build: eslint@7.5.0 --- .travis.yml | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index ff02fce..e19053c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,7 +50,7 @@ before_install: # Setup Node.js version-specific dependencies - | # Configure eslint for linting - if node_version_lt '8.0'; then npm_remove_module_re '^eslint(-|$)' + if node_version_lt '10.12'; then npm_remove_module_re '^eslint(-|$)' fi - | # Configure mocha for testing diff --git a/package.json b/package.json index 09426fc..bae3975 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "6.8.0", + "eslint": "7.5.0", "express": "4.17.1", "mocha": "7.2.0", "nyc": "15.1.0", From 94c6e25bcacac2776241c9903e3c7295bbb5bcb1 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 30 Aug 2020 20:59:02 -0400 Subject: [PATCH 052/107] build: Node.js@14.9 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e19053c..857c01c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ node_js: - "8.17" - "10.22" - "12.18" - - "14.5" + - "14.9" cache: directories: - node_modules From 76df2e6982af8821e98890ec965f4ee4da21b95c Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 30 Aug 2020 21:00:06 -0400 Subject: [PATCH 053/107] build: mocha@8.1.3 --- .travis.yml | 7 ++++--- package.json | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 857c01c..f28171d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -54,9 +54,10 @@ before_install: fi - | # Configure mocha for testing - if node_version_lt '4.0'; then npm_use_module 'mocha' '3.5.3' - elif node_version_lt '6.0'; then npm_use_module 'mocha' '5.2.0' - elif node_version_lt '8.0'; then npm_use_module 'mocha' '6.2.2' + if node_version_lt '4.0' ; then npm_use_module 'mocha' '3.5.3' + elif node_version_lt '6.0' ; then npm_use_module 'mocha' '5.2.0' + elif node_version_lt '8.0' ; then npm_use_module 'mocha' '6.2.2' + elif node_version_lt '10.0'; then npm_use_module 'mocha' '7.2.0' fi - | # Configure nyc for testing diff --git a/package.json b/package.json index bae3975..11d5af2 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.5.0", "express": "4.17.1", - "mocha": "7.2.0", + "mocha": "8.1.3", "nyc": "15.1.0", "supertest": "4.0.2" }, From aff00855531721c86806ee686741d8d8f4a883ad Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 30 Aug 2020 21:02:33 -0400 Subject: [PATCH 054/107] build: eslint@7.7.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 11d5af2..7affeac 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.5.0", + "eslint": "7.7.0", "express": "4.17.1", "mocha": "8.1.3", "nyc": "15.1.0", From 5c0b6c7a0cbf126c949b9a76c7c67e26eba6b3e1 Mon Sep 17 00:00:00 2001 From: Alex Grover Date: Sun, 30 Aug 2020 16:10:20 -0700 Subject: [PATCH 055/107] docs: fix typo in readme closes #207 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aa7a320..f90a85a 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ to the `origin` option. This function will be passed a string that is the origin The `origin` argument to the callback can be any value allowed for the `origin` option of the middleware, except a function. See the -[confugration options](#configuration-options) section for more information on all +[configuration options](#configuration-options) section for more information on all the possible value types. This function is designed to allow the dynamic loading of allowed origin(s) from From 2ddcd2dc782efa30b7b4058fe7cbd6acd3fc52c6 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 22 Sep 2020 22:41:56 -0400 Subject: [PATCH 056/107] build: eslint@7.9.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 7affeac..acac695 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.7.0", + "eslint": "7.9.0", "express": "4.17.1", "mocha": "8.1.3", "nyc": "15.1.0", From 9c6f105d5fa900aa93a7d7479398fdd1ceb212cc Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 23 Sep 2020 00:10:16 -0400 Subject: [PATCH 057/107] build: Node.js@14.12 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index f28171d..799285f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ node_js: - "8.17" - "10.22" - "12.18" - - "14.9" + - "14.12" cache: directories: - node_modules From 4069e5eeff1783d153dc386da1c9cbd836f1c344 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 7 Oct 2020 23:41:12 -0400 Subject: [PATCH 058/107] build: Node.js@12.19 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 799285f..cc3b2a5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ node_js: - "6.17" - "8.17" - "10.22" - - "12.18" + - "12.19" - "14.12" cache: directories: From c49ca10e92ac07f98a3b06783d3e6ba0ea5b70c7 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 7 Oct 2020 23:46:56 -0400 Subject: [PATCH 059/107] build: eslint@7.10.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index acac695..42a343a 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.9.0", + "eslint": "7.10.0", "express": "4.17.1", "mocha": "8.1.3", "nyc": "15.1.0", From 7660d3e539301dffdd613b506ab5f07403e15c0b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 5 Nov 2020 21:08:52 -0500 Subject: [PATCH 060/107] build: use GitHub Actions instead of Travis CI --- .github/workflows/ci.yml | 116 +++++++++++++++++++++++++++++++++++++++ .travis.yml | 98 --------------------------------- README.md | 6 +- package.json | 2 +- 4 files changed, 120 insertions(+), 102 deletions(-) create mode 100644 .github/workflows/ci.yml delete mode 100644 .travis.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..4945d0a --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,116 @@ +name: ci + +on: +- pull_request +- push + +jobs: + test: + runs-on: ubuntu-latest + strategy: + matrix: + name: + - Node.js 0.10 + - Node.js 4.x + - Node.js 6.x + - Node.js 8.x + - Node.js 10.x + - Node.js 12.x + - Node.js 14.x + + include: + - name: Node.js 0.10 + node-version: "0.10" + npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + + - name: Node.js 4.x + node-version: "4.9" + npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + + - name: Node.js 6.x + node-version: "6.17" + npm-i: mocha@6.2.2 nyc@14.1.1 + + - name: Node.js 8.x + node-version: "8.17" + npm-i: mocha@7.2.0 + + - name: Node.js 10.x + node-version: "10.22" + + - name: Node.js 12.x + node-version: "12.19" + + - name: Node.js 14.x + node-version: "14.12" + + steps: + - uses: actions/checkout@v2 + + - name: Install Node.js ${{ matrix.node-version }} + shell: bash -eo pipefail -l {0} + run: | + nvm install --default ${{ matrix.node-version }} + dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" + + - name: Configure npm + run: npm config set shrinkwrap false + + - name: Install npm module(s) ${{ matrix.npm-i }} + run: npm install --save-dev ${{ matrix.npm-i }} + if: matrix.npm-i != '' + + - name: Setup Node.js version-specific dependencies + shell: bash + run: | + # eslint for linting + # - remove on Node.js < 10 + if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then + node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ + grep -E '^eslint(-|$)' | \ + sort -r | \ + xargs -n1 npm rm --silent --save-dev + fi + + - name: Install Node.js dependencies + run: npm install + + - name: List environment + id: list_env + shell: bash + run: | + echo "node@$(node -v)" + echo "npm@$(npm -v)" + npm -s ls ||: + (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }' + + - name: Run tests + shell: bash + run: | + if npm -ps ls nyc | grep -q nyc; then + npm run test-ci + else + npm test + fi + + - name: Lint code + if: steps.list_env.outputs.eslint != '' + run: npm run lint + + - name: Collect code coverage + uses: coverallsapp/github-action@master + if: steps.list_env.outputs.nyc != '' + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + flag-name: run-${{ matrix.test_number }} + parallel: true + + coverage: + needs: test + runs-on: ubuntu-latest + steps: + - name: Uploade code coverage + uses: coverallsapp/github-action@master + with: + github-token: ${{ secrets.github_token }} + parallel-finished: true diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index cc3b2a5..0000000 --- a/.travis.yml +++ /dev/null @@ -1,98 +0,0 @@ -language: node_js -node_js: - - "0.10" - - "4.9" - - "6.17" - - "8.17" - - "10.22" - - "12.19" - - "14.12" -cache: - directories: - - node_modules -before_install: - - | - # Setup utility functions - function node_version_lt () { - [[ "$(v "$TRAVIS_NODE_VERSION")" -lt "$(v "${1}")" ]] - } - function npm_module_installed () { - npm -lsp ls | grep -Fq "$(pwd)/node_modules/${1}:${1}@" - } - function npm_remove_module_re () { - node -e ' - fs = require("fs"); - p = JSON.parse(fs.readFileSync("package.json", "utf8")); - r = RegExp(process.argv[1]); - for (k in p.devDependencies) { - if (r.test(k)) delete p.devDependencies[k]; - } - fs.writeFileSync("package.json", JSON.stringify(p, null, 2) + "\n"); - ' "$@" - } - function npm_use_module () { - node -e ' - fs = require("fs"); - p = JSON.parse(fs.readFileSync("package.json", "utf8")); - p.devDependencies[process.argv[1]] = process.argv[2]; - fs.writeFileSync("package.json", JSON.stringify(p, null, 2) + "\n"); - ' "$@" - } - function v () { - tr '.' '\n' <<< "${1}" \ - | awk '{ printf "%03d", $0 }' \ - | sed 's/^0*//' - } - # Configure npm - - | - # Skip updating shrinkwrap / lock - npm config set shrinkwrap false - # Setup Node.js version-specific dependencies - - | - # Configure eslint for linting - if node_version_lt '10.12'; then npm_remove_module_re '^eslint(-|$)' - fi - - | - # Configure mocha for testing - if node_version_lt '4.0' ; then npm_use_module 'mocha' '3.5.3' - elif node_version_lt '6.0' ; then npm_use_module 'mocha' '5.2.0' - elif node_version_lt '8.0' ; then npm_use_module 'mocha' '6.2.2' - elif node_version_lt '10.0'; then npm_use_module 'mocha' '7.2.0' - fi - - | - # Configure nyc for testing - if node_version_lt '4.0'; then npm_use_module 'nyc' '10.3.2' - elif node_version_lt '6.0'; then npm_use_module 'nyc' '11.9.0' - elif node_version_lt '8.0'; then npm_use_module 'nyc' '14.1.1' - fi - - | - # Configure supertest for http calls - if node_version_lt '4.0'; then npm_use_module 'supertest' '2.0.0' - elif node_version_lt '6.0'; then npm_use_module 'supertest' '3.4.2' - fi - # Update Node.js modules - - | - # Prune & rebuild node_modules - if [[ -d node_modules ]]; then - npm prune - npm rebuild - fi -before_script: - - | - # Contents of node_modules - npm -s ls ||: -script: - - | - # Run test script - npm run test-ci - - | - # Run linting, if eslint exists - if npm_module_installed 'eslint'; then npm run-script lint - fi -after_script: - - | - # Upload coverage to coveralls if exists - if [[ -d .nyc_output ]]; then - npm install --save-dev coveralls@2 - nyc report --reporter=text-lcov | coveralls - fi diff --git a/README.md b/README.md index f90a85a..60ab20c 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![NPM Version][npm-image]][npm-url] [![NPM Downloads][downloads-image]][downloads-url] -[![Build Status][travis-image]][travis-url] +[![Build Status][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/connect/)/[Express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options. @@ -239,7 +239,7 @@ Code for that demo can be found here: [coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master [downloads-image]: https://img.shields.io/npm/dm/cors.svg [downloads-url]: https://npmjs.org/package/cors +[github-actions-ci-image]: https://img.shields.io/github/workflow/status/expressjs/cors/ci/master?label=ci +[github-actions-ci-url]: https://github.com/expressjs/cors?query=workflow%3Aci [npm-image]: https://img.shields.io/npm/v/cors.svg [npm-url]: https://npmjs.org/package/cors -[travis-image]: https://img.shields.io/travis/expressjs/cors/master.svg -[travis-url]: https://travis-ci.org/expressjs/cors diff --git a/package.json b/package.json index 42a343a..bfdcfcd 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ }, "scripts": { "test": "npm run lint && npm run test-ci", - "test-ci": "nyc --reporter=html --reporter=text mocha --require test/support/env", + "test-ci": "nyc --reporter=lcov --reporter=text mocha --require test/support/env", "lint": "eslint lib test" } } From 24dd07749b8b76659efa90501a85b9a915596d8a Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 8 Nov 2020 01:33:53 -0500 Subject: [PATCH 061/107] build: Node.js@14.15 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4945d0a..f554e80 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: node-version: "12.19" - name: Node.js 14.x - node-version: "14.12" + node-version: "14.15" steps: - uses: actions/checkout@v2 From a7060a794aae4bbc4966880c27846213d1313b46 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 25 Dec 2020 10:22:37 -0500 Subject: [PATCH 062/107] build: Node.js@10.23 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f554e80..0ddcb3c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: npm-i: mocha@7.2.0 - name: Node.js 10.x - node-version: "10.22" + node-version: "10.23" - name: Node.js 12.x node-version: "12.19" From 5b6f294eb21c12c86a24823ade31b92561bb9f23 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 25 Dec 2020 10:27:46 -0500 Subject: [PATCH 063/107] build: Node.js@12.20 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ddcb3c..d120e35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ jobs: node-version: "10.23" - name: Node.js 12.x - node-version: "12.19" + node-version: "12.20" - name: Node.js 14.x node-version: "14.15" From 1d3bdedf110b877c05f1f93499e5f40f2a87dd81 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 30 Dec 2020 23:51:38 -0500 Subject: [PATCH 064/107] build: eslint@7.16.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bfdcfcd..d3087d7 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.10.0", + "eslint": "7.16.0", "express": "4.17.1", "mocha": "8.1.3", "nyc": "15.1.0", From 1120d2dcd5d77eac37aba13de901b44592589dc5 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Thu, 31 Dec 2020 00:12:31 -0500 Subject: [PATCH 065/107] build: mocha@8.2.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d3087d7..9901da3 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.16.0", "express": "4.17.1", - "mocha": "8.1.3", + "mocha": "8.2.1", "nyc": "15.1.0", "supertest": "4.0.2" }, From 84c015284f780b79a5c3fc1e6878d80810d287d8 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 31 Jan 2021 20:09:00 -0500 Subject: [PATCH 066/107] build: supertest@6.1.3 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9901da3..a51a405 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "express": "4.17.1", "mocha": "8.2.1", "nyc": "15.1.0", - "supertest": "4.0.2" + "supertest": "6.1.3" }, "files": [ "lib/index.js", From f5cd1e7a02585b64649df401db740b702c14524b Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Sun, 14 Feb 2021 19:32:00 -0500 Subject: [PATCH 067/107] build: eslint@7.20.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a51a405..091f1c7 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.16.0", + "eslint": "7.20.0", "express": "4.17.1", "mocha": "8.2.1", "nyc": "15.1.0", From 8ba99afb5dfcce400619cc63362e60c155972c10 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 22 Mar 2021 01:51:00 -0400 Subject: [PATCH 068/107] build: mocha@8.3.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 091f1c7..2b107a0 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.20.0", "express": "4.17.1", - "mocha": "8.2.1", + "mocha": "8.3.2", "nyc": "15.1.0", "supertest": "6.1.3" }, From bed92dca3eb51fa9c368c0f208da90f8a84d124d Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 20 Apr 2021 19:43:00 -0400 Subject: [PATCH 069/107] build: Node.js@12.22 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d120e35..36fd85a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,7 @@ jobs: node-version: "10.23" - name: Node.js 12.x - node-version: "12.20" + node-version: "12.22" - name: Node.js 14.x node-version: "14.15" From b62e41dd7700986137462ac3e304b64822d04393 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 4 May 2021 23:09:00 -0400 Subject: [PATCH 070/107] build: support Node.js 16.x --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36fd85a..c64316b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,7 @@ jobs: - Node.js 10.x - Node.js 12.x - Node.js 14.x + - Node.js 16.x include: - name: Node.js 0.10 @@ -44,6 +45,9 @@ jobs: - name: Node.js 14.x node-version: "14.15" + - name: Node.js 16.x + node-version: "16.1" + steps: - uses: actions/checkout@v2 From ad766e9f540e36bde06c79b3ceaf1e361c393e6d Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Mon, 7 Jun 2021 18:32:00 -0400 Subject: [PATCH 071/107] build: eslint@7.28.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 2b107a0..f05bb9c 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.20.0", + "eslint": "7.28.0", "express": "4.17.1", "mocha": "8.3.2", "nyc": "15.1.0", From 20c6527731d35a59bf281e15e9238e847a207410 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 14 Jul 2021 20:01:00 -0400 Subject: [PATCH 072/107] build: mocha@9.0.2 --- .github/workflows/ci.yml | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c64316b..c320e4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,6 +38,7 @@ jobs: - name: Node.js 10.x node-version: "10.23" + npm-i: mocha@8.3.2 - name: Node.js 12.x node-version: "12.22" diff --git a/package.json b/package.json index f05bb9c..9499066 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.28.0", "express": "4.17.1", - "mocha": "8.3.2", + "mocha": "9.0.2", "nyc": "15.1.0", "supertest": "6.1.3" }, From 344ce1e257b8d2f32c280ff40de4f2494020b8ea Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 14 Jul 2021 20:03:00 -0400 Subject: [PATCH 073/107] build: eslint@7.30.0 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9499066..e44fc05 100644 --- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "devDependencies": { "after": "0.8.2", - "eslint": "7.28.0", + "eslint": "7.30.0", "express": "4.17.1", "mocha": "9.0.2", "nyc": "15.1.0", From 828066964a864ca477f91a9a8746a1292a875860 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 4 Aug 2021 19:32:00 -0400 Subject: [PATCH 074/107] build: Node.js@16.6 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c320e4f..4e94795 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: node-version: "14.15" - name: Node.js 16.x - node-version: "16.1" + node-version: "16.6" steps: - uses: actions/checkout@v2 From 713d141a34bbad6c18a09946a1963c1252e316b4 Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 4 Aug 2021 19:34:00 -0400 Subject: [PATCH 075/107] build: Node.js@14.17 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e94795..fabf7a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: node-version: "12.22" - name: Node.js 14.x - node-version: "14.15" + node-version: "14.17" - name: Node.js 16.x node-version: "16.6" From 4db62527481bc2bf25e5e8db438566de3b2af16f Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Wed, 4 Aug 2021 19:35:00 -0400 Subject: [PATCH 076/107] build: Node.js@10.24 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fabf7a8..623bd19 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,7 +37,7 @@ jobs: npm-i: mocha@7.2.0 - name: Node.js 10.x - node-version: "10.23" + node-version: "10.24" npm-i: mocha@8.3.2 - name: Node.js 12.x From 734e080a47c6ff5554b61cb43f7bd65e5909b30c Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Tue, 7 Sep 2021 22:51:00 -0400 Subject: [PATCH 077/107] build: mocha@9.1.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index e44fc05..3368389 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.30.0", "express": "4.17.1", - "mocha": "9.0.2", + "mocha": "9.1.1", "nyc": "15.1.0", "supertest": "6.1.3" }, From 513cda2b9481771ab85b33b0b0eafa55a4da9054 Mon Sep 17 00:00:00 2001 From: manjunath00 Date: Tue, 19 Apr 2022 22:45:46 +0530 Subject: [PATCH 078/107] docs: update link to web.dev closes #269 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 60ab20c..c42d4a7 100644 --- a/README.md +++ b/README.md @@ -216,7 +216,7 @@ The default configuration is the equivalent of: } ``` -For details on the effect of each CORS header, read [this](http://www.html5rocks.com/en/tutorials/cors/) article on HTML5 Rocks. +For details on the effect of each CORS header, read [this](https://web.dev/cross-origin-resource-sharing/) article on web.dev. ## Demo From f038e7722838fd83935674aa8c5bf452766741fb Mon Sep 17 00:00:00 2001 From: LuisEGR Date: Tue, 20 Jul 2021 11:09:57 -0500 Subject: [PATCH 079/107] lint: remove unused function parameters closes #245 --- lib/index.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/index.js b/lib/index.js index 5475aec..ad899ca 100644 --- a/lib/index.js +++ b/lib/index.js @@ -163,11 +163,11 @@ if (method === 'OPTIONS') { // preflight headers.push(configureOrigin(options, req)); - headers.push(configureCredentials(options, req)); - headers.push(configureMethods(options, req)); + headers.push(configureCredentials(options)) + headers.push(configureMethods(options)) headers.push(configureAllowedHeaders(options, req)); - headers.push(configureMaxAge(options, req)); - headers.push(configureExposedHeaders(options, req)); + headers.push(configureMaxAge(options)) + headers.push(configureExposedHeaders(options)) applyHeaders(headers, res); if (options.preflightContinue) { @@ -182,8 +182,8 @@ } else { // actual response headers.push(configureOrigin(options, req)); - headers.push(configureCredentials(options, req)); - headers.push(configureExposedHeaders(options, req)); + headers.push(configureCredentials(options)) + headers.push(configureExposedHeaders(options)) applyHeaders(headers, res); next(); } From f539294bf844a0a487550de9802ab059b6486370 Mon Sep 17 00:00:00 2001 From: homersimpsons Date: Fri, 19 Apr 2024 11:37:11 +0200 Subject: [PATCH 080/107] fix: readme status badge (#306) PR-URL: https://github.com/expressjs/cors/pull/306 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c42d4a7..37ab8cf 100644 --- a/README.md +++ b/README.md @@ -239,7 +239,7 @@ Code for that demo can be found here: [coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master [downloads-image]: https://img.shields.io/npm/dm/cors.svg [downloads-url]: https://npmjs.org/package/cors -[github-actions-ci-image]: https://img.shields.io/github/workflow/status/expressjs/cors/ci/master?label=ci +[github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/cors/ci.yml?branch=master&label=ci [github-actions-ci-url]: https://github.com/expressjs/cors?query=workflow%3Aci [npm-image]: https://img.shields.io/npm/v/cors.svg [npm-url]: https://npmjs.org/package/cors From de19afcc8ebf4c07fc5f511eadae7ae2e2d8e984 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Tue, 14 May 2024 18:21:31 +0200 Subject: [PATCH 081/107] ci: add support for OSSF scorecard reporting (#321) PR-URL: https://github.com/expressjs/cors/pull/321 --- .github/workflows/scorecard.yml | 73 +++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..0e064f4 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '16 21 * * 1' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + with: + sarif_file: results.sarif From 791983ebc0407115bc8ae8e64830d440da995938 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Marqu=C3=ADnez=20Prado?= <25435858+inigomarquinez@users.noreply.github.com> Date: Tue, 14 May 2024 19:37:04 +0200 Subject: [PATCH 082/107] ci: fix errors in ci github action for node 8 and add support for newer versions (#322) PR-URL: https://github.com/expressjs/cors/pull/322 --- .github/workflows/ci.yml | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 623bd19..6209375 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,12 @@ jobs: - Node.js 12.x - Node.js 14.x - Node.js 16.x + - Node.js 17.x + - Node.js 18.x + - Node.js 19.x + - Node.js 20.x + - Node.js 21.x + - Node.js 22.x include: - name: Node.js 0.10 @@ -34,7 +40,7 @@ jobs: - name: Node.js 8.x node-version: "8.17" - npm-i: mocha@7.2.0 + npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 10.x node-version: "10.24" @@ -49,8 +55,26 @@ jobs: - name: Node.js 16.x node-version: "16.6" + - name: Node.js 17.x + node-version: "17.6" + + - name: Node.js 18.x + node-version: "18.14" + + - name: Node.js 19.x + node-version: "19.6" + + - name: Node.js 20.x + node-version: "20.12" + + - name: Node.js 21.x + node-version: "21.7" + + - name: Node.js 22.x + node-version: "22.0" + steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Install Node.js ${{ matrix.node-version }} shell: bash -eo pipefail -l {0} @@ -59,7 +83,12 @@ jobs: dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - name: Configure npm - run: npm config set shrinkwrap false + run: | + if [[ "$(npm config get package-lock)" == "true" ]]; then + npm config set package-lock false + else + npm config set shrinkwrap false + fi - name: Install npm module(s) ${{ matrix.npm-i }} run: npm install --save-dev ${{ matrix.npm-i }} @@ -114,7 +143,7 @@ jobs: needs: test runs-on: ubuntu-latest steps: - - name: Uploade code coverage + - name: Upload code coverage uses: coverallsapp/github-action@master with: github-token: ${{ secrets.github_token }} From 53312a5bee605e2486fa734756abb3c0bc2f891d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Garc=C3=ADa=20Fern=C3=A1ndez?= Date: Mon, 7 Oct 2024 10:58:07 +0200 Subject: [PATCH 083/107] test: improved test robustness (#320) --- test/test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test.js b/test/test.js index f2a2e94..34ddb41 100644 --- a/test/test.js +++ b/test/test.js @@ -441,7 +441,7 @@ var util = require('util') var res = new FakeResponse() res.on('finish', function () { - assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') + assert.strictEqual(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') assert.equal(res.getHeader('Vary'), undefined) cb() }) From 1cfb3709dec33dfa7ae95a3a554f2dd10498c7f9 Mon Sep 17 00:00:00 2001 From: Carlos Serrano Date: Sat, 4 Jan 2025 20:06:21 +0100 Subject: [PATCH 084/107] chore: upgrade scorecard workflow pinned action versions (#341) --- .github/workflows/scorecard.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0e064f4..d23de00 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,12 +33,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -60,7 +60,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: SARIF file path: results.sarif @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: - sarif_file: results.sarif + sarif_file: results.sarif \ No newline at end of file From 14cefd4898ccb003a043cfbfa3dfc6971c9c1383 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Thu, 15 May 2025 05:31:55 -0500 Subject: [PATCH 085/107] ci: add CodeQL (SAST) (#340) --- .github/workflows/codeql.yml | 66 ++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..9d1b304 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + languages: javascript + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + # - name: Autobuild + # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + category: "/language:javascript" \ No newline at end of file From c70b4650b8906aa16bc78781208092b0686643c9 Mon Sep 17 00:00:00 2001 From: Dustin Popp Date: Sat, 17 May 2025 10:11:31 -0500 Subject: [PATCH 086/107] docs: remove broken link to demo site (#344) Co-authored-by: Dustin Popp --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index 37ab8cf..c6d26ca 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/co * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight) * [Configuring CORS Asynchronously](#configuring-cors-asynchronously) * [Configuration Options](#configuration-options) -* [Demo](#demo) * [License](#license) * [Author](#author) @@ -218,15 +217,6 @@ The default configuration is the equivalent of: For details on the effect of each CORS header, read [this](https://web.dev/cross-origin-resource-sharing/) article on web.dev. -## Demo - -A demo that illustrates CORS working (and not working) using React is available here: [https://node-cors-client.netlify.com](https://node-cors-client.netlify.com) - -Code for that demo can be found here: - -* Client: [https://github.com/troygoode/node-cors-client](https://github.com/troygoode/node-cors-client) -* Server: [https://github.com/troygoode/node-cors-server](https://github.com/troygoode/node-cors-server) - ## License [MIT License](http://www.opensource.org/licenses/mit-license.php) From 1286ac5fcea64656bfc1c107de0113704e344864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 5 Jun 2025 14:37:04 +0200 Subject: [PATCH 087/107] ci: add OSSF Scorecard recommendations (#350) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón Co-authored-by: StepSecurity Bot --- .github/dependabot.yml | 15 +++++++++++++++ .github/workflows/ci.yml | 14 +++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fb6c310 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,15 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: monthly + + - package-ecosystem: npm + directory: / + schedule: + interval: monthly + open-pull-requests-limit: 10 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6209375..b9916e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,14 @@ on: - pull_request - push +permissions: + contents: read + jobs: test: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest strategy: matrix: @@ -74,7 +80,7 @@ jobs: node-version: "22.0" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Node.js ${{ matrix.node-version }} shell: bash -eo pipefail -l {0} @@ -132,7 +138,7 @@ jobs: run: npm run lint - name: Collect code coverage - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master if: steps.list_env.outputs.nyc != '' with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -140,11 +146,13 @@ jobs: parallel: true coverage: + permissions: + checks: write # for coverallsapp/github-action to create new checks needs: test runs-on: ubuntu-latest steps: - name: Upload code coverage - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master with: github-token: ${{ secrets.github_token }} parallel-finished: true From 219c2a1890bcc8171649d714a242424f65d2e0dd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:52:13 +0200 Subject: [PATCH 088/107] build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 (#351) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9d1b304..3bdc61a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: languages: javascript # If you wish to specify custom queries, you can do so here or in a config file. @@ -61,6 +61,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: category: "/language:javascript" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d23de00..6e5e869 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 with: sarif_file: results.sarif \ No newline at end of file From 83f665d75c51d8cf335cf725ce4548c4c522a1e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:53:18 +0200 Subject: [PATCH 089/107] build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#353) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9916e5..bea8f2c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,7 +138,7 @@ jobs: run: npm run lint - name: Collect code coverage - uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # master if: steps.list_env.outputs.nyc != '' with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -152,7 +152,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Upload code coverage - uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # master with: github-token: ${{ secrets.github_token }} parallel-finished: true From 9f71118a6c71f7697670b7dc171e02c2b5385343 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:54:09 +0200 Subject: [PATCH 090/107] build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#354) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3bdc61a..163cbc9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 6cb26b5e5ee722f3f3eded651cf604392418d129 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:54:55 +0200 Subject: [PATCH 091/107] build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 (#355) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 6e5e869..314432b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -38,7 +38,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif results_format: sarif From 07e49a1347a969edc862eb0f18cf3aecb214271b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:55:44 +0200 Subject: [PATCH 092/107] build(deps-dev): bump express from 4.17.1 to 4.21.2 (#356) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 3368389..88d2c03 100644 --- a/package.json +++ b/package.json @@ -19,7 +19,7 @@ "devDependencies": { "after": "0.8.2", "eslint": "7.30.0", - "express": "4.17.1", + "express": "4.21.2", "mocha": "9.1.1", "nyc": "15.1.0", "supertest": "6.1.3" From 0287892f85578c73249673ffd57de13d874fc9b2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 21:59:53 +0200 Subject: [PATCH 093/107] build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 (#352) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 314432b..16d1289 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,7 +60,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif From 1640d9e0a84e4e21c89071b53381a718dc915375 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 22:00:50 +0200 Subject: [PATCH 094/107] build(deps-dev): bump mocha from 9.1.1 to 9.2.2 (#358) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 88d2c03..920e1a1 100644 --- a/package.json +++ b/package.json @@ -20,7 +20,7 @@ "after": "0.8.2", "eslint": "7.30.0", "express": "4.21.2", - "mocha": "9.1.1", + "mocha": "9.2.2", "nyc": "15.1.0", "supertest": "6.1.3" }, From 70eadc4efe934af537e3402d76ff4d6b1870d71b Mon Sep 17 00:00:00 2001 From: Jon Church Date: Thu, 5 Jun 2025 16:01:47 -0400 Subject: [PATCH 095/107] docs: update the docs for per request config (#338) --- README.md | 52 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c6d26ca..34274be 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/co * [Configuring CORS](#configuring-cors) * [Configuring CORS w/ Dynamic Origin](#configuring-cors-w-dynamic-origin) * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight) - * [Configuring CORS Asynchronously](#configuring-cors-asynchronously) + * [Customizing CORS Settings Dynamically per Request](#customizing-cors-settings-dynamically-per-request) * [Configuration Options](#configuration-options) * [License](#license) * [Author](#author) @@ -69,6 +69,8 @@ app.listen(80, function () { ### Configuring CORS +See the [configuration options](#configuration-options) for details. + ```javascript var express = require('express') var cors = require('cors') @@ -161,27 +163,45 @@ NOTE: When using this middleware as an application level middleware (for example, `app.use(cors())`), pre-flight requests are already handled for all routes. -### Configuring CORS Asynchronously +### Customizing CORS Settings Dynamically per Request -```javascript -var express = require('express') -var cors = require('cors') -var app = express() +For APIs that require different CORS configurations for specific routes or requests, you can dynamically generate CORS options based on the incoming request. The `cors` middleware allows you to achieve this by passing a function instead of static options. This function is called for each incoming request and must use the callback pattern to return the appropriate CORS options. + +The function accepts: +1. **`req`**: + - The incoming request object. + +2. **`callback(error, corsOptions)`**: + - A function used to return the computed CORS options. + - **Arguments**: + - **`error`**: Pass `null` if there’s no error, or an error object to indicate a failure. + - **`corsOptions`**: An object specifying the CORS policy for the current request. -var allowlist = ['http://example1.com', 'http://example2.com'] -var corsOptionsDelegate = function (req, callback) { +Here’s an example that handles both public routes and restricted, credential-sensitive routes: + +```javascript +var dynamicCorsOptions = function(req, callback) { var corsOptions; - if (allowlist.indexOf(req.header('Origin')) !== -1) { - corsOptions = { origin: true } // reflect (enable) the requested origin in the CORS response + if (req.path.startsWith('/auth/connect/')) { + corsOptions = { + origin: 'http://mydomain.com', // Allow only a specific origin + credentials: true, // Enable cookies and credentials + }; } else { - corsOptions = { origin: false } // disable CORS for this request + corsOptions = { origin: '*' }; // Allow all origins for other routes } - callback(null, corsOptions) // callback expects two parameters: error and options -} + callback(null, corsOptions); +}; -app.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for an allowed domain.'}) -}) +app.use(cors(dynamicCorsOptions)); + +app.get('/auth/connect/twitter', function (req, res) { + res.send('CORS dynamically applied for Twitter authentication.'); +}); + +app.get('/public', function (req, res) { + res.send('Public data with open CORS.'); +}); app.listen(80, function () { console.log('CORS-enabled web server listening on port 80') From 7f1a682e548ff426245c06b85b69f6a8e4c66149 Mon Sep 17 00:00:00 2001 From: dhananjaysa92 <116092192+dhananjaysa92@users.noreply.github.com> Date: Thu, 5 Jun 2025 16:05:07 -0400 Subject: [PATCH 096/107] docs: extend origin option for `*` (#289) Co-authored-by: Dhananjay Agrawal --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 34274be..527a0f3 100644 --- a/README.md +++ b/README.md @@ -212,7 +212,9 @@ app.listen(80, function () { * `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values: - `Boolean` - set `origin` to `true` to reflect the [request origin](http://tools.ietf.org/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS. - - `String` - set `origin` to a specific origin. For example if you set it to `"http://example.com"` only requests from "http://example.com" will be allowed. + - `String` - set `origin` to a specific origin. For example, if you set it to + - `"http://example.com"` only requests from "http://example.com" will be allowed. + - `"*"` for all domains to be allowed. - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\.com$/` will reflect any request that is coming from an origin ending with "example.com". - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `["http://example1.com", /\.example2\.com$/]` will accept any request from "http://example1.com" or from a subdomain of "example2.com". - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (called as `callback(err, origin)`, where `origin` is a non-function value of the `origin` option) as the second. From 2c44de3296d8aaf605315d48f972e73f467b138d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 5 Jun 2025 22:11:12 +0200 Subject: [PATCH 097/107] ci: upgrade Node versions (#359) --- .github/workflows/ci.yml | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bea8f2c..3e28f9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,8 @@ jobs: - Node.js 20.x - Node.js 21.x - Node.js 22.x + - Node.js 23.x + - Node.js 24.x include: - name: Node.js 0.10 @@ -37,47 +39,53 @@ jobs: npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: Node.js 4.x - node-version: "4.9" + node-version: "4" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - name: Node.js 6.x - node-version: "6.17" + node-version: "6" npm-i: mocha@6.2.2 nyc@14.1.1 - name: Node.js 8.x - node-version: "8.17" + node-version: "8" npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 10.x - node-version: "10.24" + node-version: "10" npm-i: mocha@8.3.2 - name: Node.js 12.x - node-version: "12.22" + node-version: "12" - name: Node.js 14.x - node-version: "14.17" + node-version: "14" - name: Node.js 16.x - node-version: "16.6" + node-version: "16" - name: Node.js 17.x - node-version: "17.6" + node-version: "17" - name: Node.js 18.x - node-version: "18.14" + node-version: "18" - name: Node.js 19.x - node-version: "19.6" + node-version: "19" - name: Node.js 20.x - node-version: "20.12" + node-version: "20" - name: Node.js 21.x - node-version: "21.7" + node-version: "21" - name: Node.js 22.x - node-version: "22.0" + node-version: "22" + + - name: Node.js 23.x + node-version: "23" + + - name: Node.js 24.x + node-version: "24" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 9a9a760c888433d923847ee837e95567d9a94517 Mon Sep 17 00:00:00 2001 From: Sebastian Beltran Date: Wed, 23 Jul 2025 07:47:24 -0500 Subject: [PATCH 098/107] chore: add funding to package.json (#363) --- package.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package.json b/package.json index 920e1a1..7ceae41 100644 --- a/package.json +++ b/package.json @@ -11,6 +11,10 @@ "middleware" ], "repository": "expressjs/cors", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + }, "main": "./lib/index.js", "dependencies": { "object-assign": "^4", From f881e919e825ae8e35b8526a39bb64d13d4688bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Nov 2025 17:57:21 +0100 Subject: [PATCH 099/107] build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 163cbc9..bdff87f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: javascript # If you wish to specify custom queries, you can do so here or in a config file. @@ -61,6 +61,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: category: "/language:javascript" \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 16d1289..2850330 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: sarif_file: results.sarif \ No newline at end of file From b25644c76be11c09e3573007244a0696c4d183ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Nov 2025 17:57:59 +0100 Subject: [PATCH 100/107] build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2850330..32746dc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,7 +60,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif From 7e6f7eeac0c16d9abed2cb84ac4b2891a51fa3dc Mon Sep 17 00:00:00 2001 From: Efe Date: Sun, 30 Nov 2025 17:06:15 +0100 Subject: [PATCH 101/107] docs: revamp content (#374) --- CONTRIBUTING.md | 33 --------------------------------- README.md | 18 ++++++++---------- 2 files changed, 8 insertions(+), 43 deletions(-) delete mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 591b09a..0000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,33 +0,0 @@ -# contributing to `cors` - -CORS is a node.js package for providing a [connect](http://www.senchalabs.org/connect/)/[express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options. Learn more about the project in [the README](README.md). - -## The CORS Spec - -[http://www.w3.org/TR/cors/](http://www.w3.org/TR/cors/) - -## Pull Requests Welcome - -* Include `'use strict';` in every javascript file. -* 2 space indentation. -* Please run the testing steps below before submitting. - -## Testing - -```bash -$ npm install -$ npm test -``` - -## Interactive Testing Harness - -[http://node-cors-client.herokuapp.com](http://node-cors-client.herokuapp.com) - -Related git repositories: - -* [https://github.com/TroyGoode/node-cors-server](https://github.com/TroyGoode/node-cors-server) -* [https://github.com/TroyGoode/node-cors-client](https://github.com/TroyGoode/node-cors-client) - -## License - -[MIT License](http://www.opensource.org/licenses/mit-license.php) diff --git a/README.md b/README.md index 527a0f3..2a377fd 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,7 @@ [![Build Status][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] -CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/connect/)/[Express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options. - -**[Follow me (@troygoode) on Twitter!](https://twitter.com/intent/user?screen_name=troygoode)** +CORS is a [Node.js](https://nodejs.org/en/) package for providing a [Connect](https://github.com/senchalabs/connect)/[Express](https://expressjs.com/) middleware that can be used to enable [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) with various options. * [Installation](#installation) * [Usage](#usage) @@ -19,13 +17,13 @@ CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/co * [Customizing CORS Settings Dynamically per Request](#customizing-cors-settings-dynamically-per-request) * [Configuration Options](#configuration-options) * [License](#license) -* [Author](#author) +* [Original Author](#original-author) ## Installation This is a [Node.js](https://nodejs.org/en/) module available through the [npm registry](https://www.npmjs.com/). Installation is done using the -[`npm install` command](https://docs.npmjs.com/getting-started/installing-npm-packages-locally): +[`npm install` command](https://docs.npmjs.com/downloading-and-installing-packages-locally): ```sh $ npm install cors @@ -211,7 +209,7 @@ app.listen(80, function () { ## Configuration Options * `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values: - - `Boolean` - set `origin` to `true` to reflect the [request origin](http://tools.ietf.org/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS. + - `Boolean` - set `origin` to `true` to reflect the [request origin](https://datatracker.ietf.org/doc/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS. - `String` - set `origin` to a specific origin. For example, if you set it to - `"http://example.com"` only requests from "http://example.com" will be allowed. - `"*"` for all domains to be allowed. @@ -237,21 +235,21 @@ The default configuration is the equivalent of: } ``` -For details on the effect of each CORS header, read [this](https://web.dev/cross-origin-resource-sharing/) article on web.dev. +For details on the effect of each CORS header, read [this](https://web.dev/articles/cross-origin-resource-sharing) article. ## License [MIT License](http://www.opensource.org/licenses/mit-license.php) -## Author +## Original Author [Troy Goode](https://github.com/TroyGoode) ([troygoode@gmail.com](mailto:troygoode@gmail.com)) [coveralls-image]: https://img.shields.io/coveralls/expressjs/cors/master.svg [coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master [downloads-image]: https://img.shields.io/npm/dm/cors.svg -[downloads-url]: https://npmjs.org/package/cors +[downloads-url]: https://npmjs.com/package/cors [github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/cors/ci.yml?branch=master&label=ci [github-actions-ci-url]: https://github.com/expressjs/cors?query=workflow%3Aci [npm-image]: https://img.shields.io/npm/v/cors.svg -[npm-url]: https://npmjs.org/package/cors +[npm-url]: https://npmjs.com/package/cors From d5cf6cd3ac1edad4507f5f265cad6dfb6ea048bc Mon Sep 17 00:00:00 2001 From: Ignacio Mangas Date: Sun, 30 Nov 2025 17:11:18 +0100 Subject: [PATCH 102/107] ci: add support for node@25 (#375) Co-authored-by: Nachoo Mangas --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3e28f9c..9fd8cc4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,6 +32,7 @@ jobs: - Node.js 22.x - Node.js 23.x - Node.js 24.x + - Node.js 25.x include: - name: Node.js 0.10 @@ -87,6 +88,9 @@ jobs: - name: Node.js 24.x node-version: "24" + - name: Node.js 25.x + node-version: "25" + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From f442e770a40993f5093940c73c326b825203f947 Mon Sep 17 00:00:00 2001 From: Ignacio Mangas Date: Mon, 1 Dec 2025 13:22:06 +0100 Subject: [PATCH 103/107] Extend CI test matrix (#376) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nachoo Mangas Co-authored-by: Ulises Gascón --- .github/workflows/ci.yml | 50 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9fd8cc4..bd8c6a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,12 +17,22 @@ jobs: matrix: name: - Node.js 0.10 + - Node.js 0.12 + - io.js 1.x + - io.js 2.x + - io.js 3.x - Node.js 4.x + - Node.js 5.x - Node.js 6.x + - Node.js 7.x - Node.js 8.x + - Node.js 9.x - Node.js 10.x + - Node.js 11.x - Node.js 12.x + - Node.js 13.x - Node.js 14.x + - Node.js 15.x - Node.js 16.x - Node.js 17.x - Node.js 18.x @@ -39,28 +49,68 @@ jobs: node-version: "0.10" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + - name: Node.js 0.12 + node-version: "0.12" + npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + + - name: io.js 1.x + node-version: "1" + npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + + - name: io.js 2.x + node-version: "2" + npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + + - name: io.js 3.x + node-version: "3" + npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 + - name: Node.js 4.x node-version: "4" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + - name: Node.js 5.x + node-version: "5" + npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 + - name: Node.js 6.x node-version: "6" npm-i: mocha@6.2.2 nyc@14.1.1 + - name: Node.js 7.x + node-version: "7" + npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 + - name: Node.js 8.x node-version: "8" npm-i: mocha@7.2.0 nyc@14.1.1 + - name: Node.js 9.x + node-version: "9" + npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6 + - name: Node.js 10.x node-version: "10" npm-i: mocha@8.3.2 + - name: Node.js 11.x + node-version: "11" + npm-i: mocha@8.4.0 supertest@6.1.6 + - name: Node.js 12.x node-version: "12" + - name: Node.js 13.x + node-version: "13" + npm-i: mocha@9.2.2 supertest@6.1.6 + - name: Node.js 14.x node-version: "14" + - name: Node.js 15.x + node-version: "15" + npm-i: "supertest@6.1.6" + - name: Node.js 16.x node-version: "16" From bbf62a5438a406bf50cc6f3c2d763028f215523f Mon Sep 17 00:00:00 2001 From: Jon Church Date: Tue, 13 Jan 2026 07:59:10 -0500 Subject: [PATCH 104/107] docs: simplify code examples with header comments (#386) --- README.md | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 2a377fd..31efdaa 100644 --- a/README.md +++ b/README.md @@ -38,14 +38,15 @@ var express = require('express') var cors = require('cors') var app = express() +// Adds headers: Access-Control-Allow-Origin: * app.use(cors()) app.get('/products/:id', function (req, res, next) { - res.json({msg: 'This is CORS-enabled for all origins!'}) + res.json({msg: 'Hello'}) }) app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` @@ -56,12 +57,13 @@ var express = require('express') var cors = require('cors') var app = express() +// Adds headers: Access-Control-Allow-Origin: * app.get('/products/:id', cors(), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for a Single Route'}) + res.json({msg: 'Hello'}) }) app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` @@ -79,12 +81,13 @@ var corsOptions = { optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204 } +// Adds headers: Access-Control-Allow-Origin: http://example.com, Vary: Origin app.get('/products/:id', cors(corsOptions), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for only example.com.'}) + res.json({msg: 'Hello'}) }) app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` @@ -118,12 +121,13 @@ var corsOptions = { } } +// Adds headers: Access-Control-Allow-Origin: , Vary: Origin app.get('/products/:id', cors(corsOptions), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for an allowed domain.'}) + res.json({msg: 'Hello'}) }) app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` @@ -141,13 +145,13 @@ var express = require('express') var cors = require('cors') var app = express() -app.options('/products/:id', cors()) // enable pre-flight request for DELETE request +app.options('/products/:id', cors()) // preflight for DELETE app.del('/products/:id', cors(), function (req, res, next) { - res.json({msg: 'This is CORS-enabled for all origins!'}) + res.json({msg: 'Hello'}) }) app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` @@ -181,12 +185,14 @@ Here’s an example that handles both public routes and restricted, credential-s var dynamicCorsOptions = function(req, callback) { var corsOptions; if (req.path.startsWith('/auth/connect/')) { + // Access-Control-Allow-Origin: http://mydomain.com, Access-Control-Allow-Credentials: true, Vary: Origin corsOptions = { - origin: 'http://mydomain.com', // Allow only a specific origin - credentials: true, // Enable cookies and credentials + origin: 'http://mydomain.com', + credentials: true }; } else { - corsOptions = { origin: '*' }; // Allow all origins for other routes + // Access-Control-Allow-Origin: * + corsOptions = { origin: '*' }; } callback(null, corsOptions); }; @@ -194,15 +200,15 @@ var dynamicCorsOptions = function(req, callback) { app.use(cors(dynamicCorsOptions)); app.get('/auth/connect/twitter', function (req, res) { - res.send('CORS dynamically applied for Twitter authentication.'); + res.send('Hello'); }); app.get('/public', function (req, res) { - res.send('Public data with open CORS.'); + res.send('Hello'); }); app.listen(80, function () { - console.log('CORS-enabled web server listening on port 80') + console.log('web server listening on port 80') }) ``` From cf8947e828444603c68dfca4f9297700f52b9629 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Fri, 16 Jan 2026 09:19:46 -0500 Subject: [PATCH 105/107] docs: tweak intro, add note w/ browser enforcement, FAQ (#385) --- README.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 31efdaa..3d206e5 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,10 @@ [![Build Status][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] -CORS is a [Node.js](https://nodejs.org/en/) package for providing a [Connect](https://github.com/senchalabs/connect)/[Express](https://expressjs.com/) middleware that can be used to enable [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) with various options. +CORS is a [Node.js](https://nodejs.org/en/) middleware for [Express](https://expressjs.com/)/[Connect](https://github.com/senchalabs/connect) that sets [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) response headers. These headers tell browsers which origins can read responses from your server. + +> [!IMPORTANT] +> **How CORS Works:** This package sets response headers—it doesn't block requests. CORS is enforced by browsers: they check the headers and decide if JavaScript can read the response. Non-browser clients (curl, Postman, other servers) ignore CORS entirely. See the [MDN CORS guide](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) for details. * [Installation](#installation) * [Usage](#usage) @@ -16,6 +19,7 @@ CORS is a [Node.js](https://nodejs.org/en/) package for providing a [Connect](ht * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight) * [Customizing CORS Settings Dynamically per Request](#customizing-cors-settings-dynamically-per-request) * [Configuration Options](#configuration-options) +* [Common Misconceptions](#common-misconceptions) * [License](#license) * [Original Author](#original-author) @@ -241,7 +245,19 @@ The default configuration is the equivalent of: } ``` -For details on the effect of each CORS header, read [this](https://web.dev/articles/cross-origin-resource-sharing) article. +## Common Misconceptions + +### "CORS blocks requests from disallowed origins" + +**No.** Your server receives and processes every request. CORS headers tell the browser whether JavaScript can read the response—not whether the request is allowed. + +### "CORS protects my API from unauthorized access" + +**No.** CORS is not access control. Any HTTP client (curl, Postman, another server) can call your API regardless of CORS settings. Use authentication and authorization to protect your API. + +### "Setting `origin: 'http://example.com'` means only that domain can access my server" + +**No.** It means browsers will only let JavaScript from that origin read responses. The server still responds to all requests. ## License From 848e2bd062a5d845c99e3808ca598d60f6bc5e16 Mon Sep 17 00:00:00 2001 From: Phillip Barta Date: Sat, 17 Jan 2026 19:59:02 +0100 Subject: [PATCH 106/107] chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388) --- package.json | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/package.json b/package.json index 7ceae41..c7f9160 100644 --- a/package.json +++ b/package.json @@ -29,11 +29,7 @@ "supertest": "6.1.3" }, "files": [ - "lib/index.js", - "CONTRIBUTING.md", - "HISTORY.md", - "LICENSE", - "README.md" + "lib/index.js" ], "engines": { "node": ">= 0.10" From f00a8c1f0af727ffe5ed35f3b2d0b1a7eb4b65bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Thu, 22 Jan 2026 15:36:50 +0100 Subject: [PATCH 107/107] 2.8.6 (#390) --- HISTORY.md | 6 ++++++ package.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 5762bce..4ae1a3a 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,3 +1,9 @@ +2.8.6 / 2026-01-22 +================== + + * Improve documentation (API, context, examples...) + * Remove additional markdown files from tarball + 2.8.5 / 2018-11-04 ================== diff --git a/package.json b/package.json index c7f9160..e90bac8 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "cors", "description": "Node.js CORS middleware", - "version": "2.8.5", + "version": "2.8.6", "author": "Troy Goode (https://github.com/troygoode/)", "license": "MIT", "keywords": [