fix: Cors headers

[rkostrzewski]

@developit this change allows only https://localhost:port origin to access served app.

[developit]

Can we allow an options.cors that gets appended to this as a CSV?

[rkostrzewski]

Here you go. FYI simplehttp2server is able to add only one origin.

[rkostrzewski]

@developit this is a breaking change - as it can break stuff on things like now.sh

[developit]

lgtm!

[developit]

@rkostrzewski maybe we should check if there is an env var we can watch for?

[rkostrzewski]

@developit we can check for NOW variable on now.sh, but I don't really think it's worth the trouble as far more providers exist out there. Furthermore setting CORS to * even on hosting provider doesn't seem like a good idea.

[rkostrzewski]

I'd wait for @developit since IMHO this is a major version bump and maybe something smaller will come along.

[developit]

I think I overestimated the breakage this would cause initially - really the only time someone would run into an issue is if they are trying to fetch assets from their preact-cli output on a page with a differing origin. I think that's a fairly small set of people - I've had such a usecase before, but I would expect to have to muck around with hostnames/headers a bit to make things work.

Should we wait for a bit of breakage to accumulate and make a 2.0.0, or merge and cross our fingers? haha

[lukeed]

TBH, I'm not fully aware of the implications, but I have a feeling that (in development) that would be a tiny tiny subset of people.

In production, I'd assume that the requesting origins would be known & specified... or just reverted back to "*".

[developit]

The last time I ran into this was proxying my initial bundle, but leaving it to reference its associated webpack assets from a CDN. The thing is, I had to manually configure Webpack to set the public path to the CDN.

Maybe we could generate a list of allowed origins using some more information:

• the user's own ip
• 127.0.0.1
• localhost
• any domain found in publicPath
• the cors CLI arg
• $HOSTNAME

The combination of these would handle a whole bunch of cases, really leaving only a few where there's not enough information to determine safety.

Also good point - if someone found this to be an issue they can still do --cors *.

FWIW I believe this change only applies to the production web server(s) bundled in.

[rkostrzewski]

Simple http2server doesn't support multiple origins 😢

[developit]

(continuing from slack lol) When you suggested setting the header from firebase.json - do you know if that works with simplehttp2server?