Setting up CORS properly #95
Comments
|
Hey, Thanks for raising this issue. I will be back with an answer quite soon. |
|
After reading the CORS documentation, it seems to me that in order to correctly handle CORS, a request that is coming to a server would need to have a header Also another useful resource -> https://web.dev/cross-origin-resource-sharing/ |
|
I see now, thanks for sharing the docs. Maybe it's a good idea to mention that in the documentation to clarify things for other users |
|
Good idea! I will create a separate issue to include these in the docs |
|
Added to #97 |
|
Hey, if you need some additional info on setting CORS, please let me know. Otherwise, could you please close the issue? :) |
|
Hi @Baroshem, I hope you can help me to understand one question because I'm a bit stuck with settings up the CORS settings correctly. But now, if the request So, how to handle that? Thank you |
|
I also found this info about it:
|
|
Hey @maxdzin You have asked this question in a bit bad moment as I just yesterday deprecated the current CORS handler and will be migrating to a new one in the upcoming weeks (h3-cors package that I was using was deprecated and merged to core H3 functionality). I will be diving into the topic more and will be able to deliver a new functionality that would allow to correctly handle CORS. Also, if you would be interested in doing a bit of research on how to implement this in Security module that would be much appreciated! |
|
Hi @Baroshem Thank you! I saw about the deprecation and looked at how it was merged into H3. I checked sources and I can see that the problem is in createOriginHeaders method: That's where this check is - if the I'll check more on how it should be solved, maybe some nice idea will come to mind. Or add some changes where defineCorsEventHandler is used. Let's see then. |
|
Hey @maxdzin I think that I have an answer to you. The CORS wont work when you are fetching data from the same nuxt app as it the origin of the request is the same for browser and server. It will start working when the origin is different. For example, you can create two nuxt applications where one is listening on port 3000 while the second on port 8000 for example. Normally the app 8000 can request the app 3000 without any issues ( because of security: {
corsHandler: {
value: {
origin: 'http://localhost:3000'
}
}
}Now, when you will try to fetch data from app 3000 in app 8000, you will get a proper CORS error because the origin header is present and has a value of 8000 while the first app is configured to only accepts request:
|
|
Hi @Baroshem OK. Let me tell you what I noticed. corsHandler: {
value: {
origin: process.env.NUXT_APP_URL ? [process.env.NUXT_APP_URL] : '*',
methods: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'],
preflight: {
statusCode: 204,
},
},
route: '',
},I passed that value as interface CorsOptions {
origin?: "*" | "null" | (string | RegExp)[] | ((origin: string) => boolean);
...and this one merged in unjs/h3 as well: export interface H3CorsOptions {
origin?: "*" | "null" | (string | RegExp)[] | ((origin: string) => boolean);
...So, I believe, there's some fix is needed at least on that option type. And the problem is probably with this method: export function createOriginHeaders(
event: H3Event,
options: H3CorsOptions
): H3AccessControlAllowOriginHeader {
const { origin: originOption } = options;
const origin = getRequestHeader(event, "origin");
if (!origin || !originOption || originOption === "*") {
return { "access-control-allow-origin": "*" };
}
if (typeof originOption === "string") {
return { "access-control-allow-origin": originOption, vary: "origin" };
}
return isCorsOriginAllowed(origin, options)
? { "access-control-allow-origin": origin, vary: "origin" }
: {};
}In the last line check - if it is not So, when |
|
Hey, I believe it is a bug on h3-cors and now H3. Would you mind if I create an issue in H3 package with your findings and firing a pull request to them to coreect the type? :) |
|
I can create a PR tomorrow :) Thanks for creating an issue! |
|
@Baroshem nice! Please, take a look at these lines in the if (!origin || !originOption || originOption === "*") {
return { "access-control-allow-origin": "*" };
}Probably it should be like this: if ((!origin && !originOption) || originOption === "*") {
return { "access-control-allow-origin": "*" };
}Otherwise, it set the header to Besides, maybe that method can be even simplified if |
|
Hey, I needed to do some fixes to the module (for some reason I couldn't load the h3 types to the app and because of that the build command was failing). To fix that, I needed to create my local CorsOptions type where I have included the different type for the CORS options -> 1b94de6 When using CORS from Nuxt security this will be now valid origin?: "*" | "null" | string | (string | RegExp)[] | ((origin: string) => boolean); |
|
@Baroshem great! That should work properly I think. I'll check it out. |
|
@Baroshem It works well! Thank you 🙏 |
Hi,
I don't know what I am doing wrong here but when trying to setup CORS with an example config like this:
corsHandler: { value: { origin: ['some.site.ever.com'], methods: ['POST'] }, route: '' }But when I'm posting using insomnia to localhost:3000/api/test it gives me result like this, my assumption is that the
access-control-allow-originkey would change but it stays at*.Am I doing something wrong here or is it some kind of a bug?
The text was updated successfully, but these errors were encountered: