feat(cors): Add CORS policy check and response to browsers. #450
Conversation
|
@microsoft-github-policy-service agree |
AOrazaev
force-pushed
the
orazaev/cors_support
branch
from
b21f59d to
770eae1
Compare
Do strict string check instead of regex.
AOrazaev
force-pushed
the
orazaev/cors_support
branch
from
bfe66d6 to
9eeab1e
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for handling CORS by performing a policy check in the transport layer and updating the command-line options as well as the documentation accordingly.
- Introduces a new checkCors function in the transport module that applies CORS headers if the Origin header is allowed.
- Adds a new CLI option (--cors-allowed-origins) and the corresponding configuration property for CORS handling.
- Updates the README to document the new CORS option alongside the existing allowed-/blocked-origins options.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/transport.ts | Adds CORS check functionality and OPTIONS handling for SSE and streamable transports. |
| src/program.ts | Adds new CLI option for specifying allowed origins via CORS policy. |
| src/config.ts | Adds corsAllowedOrigins to configuration options. |
| README.md | Updates documentation to include the new CORS policy option. |
Comments suppressed due to low confidence (1)
README.md:133
- The documentation now lists both '--allowed-origins' and '--cors-allowed-origins'. It would be helpful to clarify their distinct purposes or consider consolidating them to avoid potential confusion.
--cors-allowed-origins <origin> semicolon-separated list of allowed origins by CORS policy.
| async function handleSSE(server: Server, req: http.IncomingMessage, res: http.ServerResponse, url: URL, sessions: Map<string, SSEServerTransport>) { | ||
| if (checkCors(server.config, req, res) && req.method === 'OPTIONS') { |
There was a problem hiding this comment.
| if (checkCors(server.config, req, res) && req.method === 'OPTIONS') { | |
| if (req.method === 'OPTIONS') { | |
| if (checkCors(server.config, req, res)) { | |
| ... | |
| } else { | |
| ... | |
| } | |
| return; | |
| } |
There was a problem hiding this comment.
Hey Pavel, thanks for your suggestion!
Unfortunately, as far as I understand, this particular suggestion will break the behavior. Browser will require CORS headers to be populated not only for "preflight" request (OPTIONS), but also for every consequent request (POST/GET). So OPTIONS will succeed, actual POST will break because of cors.
This is the reason I've put the function check in front. I understand that this is probably not an obvious behavior and it happens implicitly. Feel free to suggest how to make it better and more explicit - I'll happily make a change.
Thank you!
There was a problem hiding this comment.
const { corsAllowed } = applyCorsHeaders(...);
if (req.method === 'OPTIONS' && corsAllowed)
return /*204*/;Co-authored-by: Pavel Feldman <pavel.feldman@gmail.com>
| async function handleSSE(server: Server, req: http.IncomingMessage, res: http.ServerResponse, url: URL, sessions: Map<string, SSEServerTransport>) { | ||
| if (checkCors(server.config, req, res) && req.method === 'OPTIONS') { |
There was a problem hiding this comment.
const { corsAllowed } = applyCorsHeaders(...);
if (req.method === 'OPTIONS' && corsAllowed)
return /*204*/;
No description provided.