Error: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin'

[DavidBM]

Hi

I'm running node-server in windows in my local computer. With sockjs-client 1.0.0-beta.12 (I use browserify for bundle the frontend), when I try to connect chrome gives me this error:

XMLHttpRequest cannot load http://localhost:12540/websocket/info?t=1429552020306. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.

It's my fault or is a error from the beta version?

client

Net.prototype.connect = function(url, port, prefix) { //url: 'localhost', port: 12540, prefix: '/websocket'
    var _this = this;

    return new Promise(function (resolve, reject) {

        _this.sock = new SockJS('http://' + url + ':' + port + prefix);

        _this.sock.onopen = resolve.bind(null, _this);
        _this.sock.onmessage = _this._message.bind(_this);
        _this.sock.onclose = _this._close.bind(_this);
    });
};

server

Net.prototype.start = function(port, prefix) { //port: 12540, prefix: '/websocket'
    this.sockjs = Sockjs.createServer({ sockjs_url: 'http://cdn.jsdelivr.net/sockjs/0.3.4/sockjs.min.js' });

    var server = http.createServer();
    this.sockjs.installHandlers(server, {prefix: prefix});
    server.listen(port, '0.0.0.0');
    return this;
};

[3rd-Eden]

The client shouldn't really change how CORS works on the web so it looks to me that was already an existing issue. It's most likely the cause of https://github.com/sockjs/sockjs-node/blob/master/src/trans-xhr.coffee#L60-L61 as it checks if null is send as origin header and just bluntly uses * as reply value.

Got steps to reproduce this? Like using InPrivate browsing mode to visit your page (this causes null to be used as Origin value for example).

[brycekahle]

Details like browser and full request/response header dump would be really helpful.

[DavidBM]

The mentioned error is from chrome 42.0.2311.90 m in normal browsing.

This is the log from firefox developer edition (39.0a2), the output is the same in private browsing and in normal browsing:

20:34:42.013 var s = new service('localhost', '12540', '/websocket');
20:34:42.016 undefined
20:34:42.021 "sockjs-client:main " "using url" " +11s" "http://localhost:12540/websocket" bundle.js:6534:8
20:34:42.022 "sockjs-client:utils:url " "same" " +1ms" "http://localhost:12540/websocket" "file:///D:/Trabajo/Repositorios/starriser-frontend/bundle/index.html" false bundle.js:6534:8
20:34:42.023 "sockjs-client:info-receiver " "http://localhost:12540/websocket" " +1ms" bundle.js:6534:8
20:34:42.029 "sockjs-client:info-receiver " "doXhr" " +6ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
20:34:42.030 "sockjs-client:browser:xhr " "GET" " +1ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
20:34:42.033 "sockjs-client:browser:xhr " "withCredentials" " +3ms" bundle.js:6534:8
20:34:43.079 "sockjs-client:browser:xhr " "readyState" " +1s" 2 bundle.js:6534:8
20:34:43.080 "sockjs-client:browser:xhr " "readyState" " +1ms" 4 bundle.js:6534:8
20:34:43.081 "sockjs-client:browser:xhr " "status" " +1ms" 0 bundle.js:6534:8
20:34:43.082 "sockjs-client:browser:xhr " "finish" " +1ms" 0 "" bundle.js:6534:8
20:34:43.082 "sockjs-client:info-receiver " "finish" " +0ms" undefined undefined bundle.js:6534:8
20:34:43.083 "sockjs-client:info-receiver " "_cleanup" " +1ms" bundle.js:6534:8
20:34:43.083 "sockjs-client:main " "_receiveInfo" " +0ms" undefined bundle.js:6534:8
20:34:43.084 "sockjs-client:main " "_close" " +1ms" undefined 1002 "Cannot connect to server" undefined 0 bundle.js:6534:8
20:34:43.084 "sockjs-client:browser:xhr " "cleanup" " +0ms" bundle.js:6534:8
20:34:43.079 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:12540/websocket/info?t=1429554882033. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
20:34:43.084 ReferenceError: reference to undefined property this.transport bundle.js:35007:2
20:34:43.111 "sockjs-client:main " "disconnected" " +27ms" bundle.js:6534:8

20:34:42.022 "sockjs-client:utils:url " "same" " +1ms" "http://localhost:12540/websocket" "file:///D:/Trabajo/Repositorios/starriser-frontend/bundle/index.html" false bundle.js:6534:8

Reading this line I think that I need run a local server to retrieve the index.html and not opening the file directly.

The headers:

Response headers

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Vary: Origin
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
Date: Mon, 20 Apr 2015 18:46:44 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Request headers

GET /websocket/info?t=1429555604907 HTTP/1.1
Host: localhost:12540
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: null
Connection: keep-alive

[DavidBM]

Seems that a wildcard "*" is not a valid Access-Control-Allow-Headers value: http://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored

[brycekahle]

We aren't setting that header, from your response dump Access-Control-Allow-Origin: *. I would try running a small local server to serve up your index.html and see if that solves the issue.

[3rd-Eden]

As you can see from your the request you made the Origin header is set to null which automatically causes the SockJS server to use * as value (see linked lines of code I posted above). For some reason you're sending these headers by default.

Are you running this from a file:// protocol?

[lpinca]

Anyway the response to a "credentialed" request cannot include the Access-Control-Allow-Origin: * header [1], so SockJS is wrong here.
It must be either a single origin or the string null [2].
In this case it should be Access-Control-Allow-Origin: null.

[1] : https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials
[2] : http://www.w3.org/TR/cors/#access-control-allow-origin-response-header

[lpinca]

Reading this line I think that I need run a local server to retrieve the index.html and not opening the file directly.

This explains why the request Origin is null.

[3rd-Eden]

@lpinca Ah, I completely missed that part. Yes, so you're serving from a file:// protocol. You could run a server instead and it would "fix" the problem. But it doesn't fix the root cause and that is that SockJS is doing CORS wrong by bluntly assuming that null as Origin value should be result in a Access-Control-Allow-Origin: * while it should be Access-Control-Allow-Origin: null

[DavidBM]

With a local server works fine.

10:05:13.934 var s = new service('localhost', '12540', '/websocket');
10:05:13.936 undefined
10:05:13.940 "sockjs-client:main " "using url" " +6s" "http://localhost:12540/websocket" bundle.js:6534:8
10:05:13.940 "sockjs-client:utils:url " "same" " +0ms" "http://localhost:12540/websocket" "http://localhost:8080/index.html" false bundle.js:6534:8
10:05:13.941 "sockjs-client:info-receiver " "http://localhost:12540/websocket" " +1ms" bundle.js:6534:8
10:05:13.945 "sockjs-client:info-receiver " "doXhr" " +4ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
10:05:13.945 "sockjs-client:browser:xhr " "GET" " +0ms" "http://localhost:12540/websocket/info" bundle.js:6534:8
10:05:13.947 "sockjs-client:browser:xhr " "withCredentials" " +2ms" bundle.js:6534:8
10:05:13.965 GET XHR http://localhost:12540/websocket/info [HTTP/1.1 200 OK 347ms]
10:05:14.295 "sockjs-client:browser:xhr " "readyState" " +348ms" 2 bundle.js:6534:8
10:05:14.296 "sockjs-client:browser:xhr " "readyState" " +1ms" 3 bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "status" " +1ms" 200 bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "chunk" " +0ms" bundle.js:6534:8
10:05:14.297 "sockjs-client:browser:xhr " "readyState" " +0ms" 4 bundle.js:6534:8
10:05:14.298 "sockjs-client:browser:xhr " "status" " +1ms" 200 bundle.js:6534:8
10:05:14.298 "sockjs-client:browser:xhr " "finish" " +0ms" 200 "{"websocket":true,"origins":["*:*"],"cookie_needed":false,"entropy":1483166460}" bundle.js:6534:8
10:05:14.298 "sockjs-client:info-receiver " "finish" " +0ms" Object { websocket: true, origins: Array[1], cookie_needed: false, entropy: 1483166460 } 353 bundle.js:6534:8
10:05:14.299 "sockjs-client:info-receiver " "_cleanup" " +1ms" bundle.js:6534:8
10:05:14.300 "sockjs-client:main " "_receiveInfo" " +1ms" 353 bundle.js:6534:8
10:05:14.300 "sockjs-client:main " "info" " +0ms" Object { websocket: true, origins: Array[1], cookie_needed: false, entropy: 1483166460, nullOrigin: false, sameOrigin: false, sameScheme: true } bundle.js:6534:8
10:05:14.301 "sockjs-client:websocket " "enabled" " +1ms" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +0ms" "websocket" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +1ms" "xhr-streaming" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "disabled" " +0ms" "xdr-streaming" bundle.js:6534:8
10:05:14.302 "sockjs-client:utils:transport " "enabled" " +0ms" "eventsource" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "enabled" " +1ms" "iframe-eventsource" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "disabled" " +0ms" "htmlfile" bundle.js:6534:8
10:05:14.303 "sockjs-client:utils:transport " "enabled" " +0ms" "iframe-htmlfile" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "enabled" " +1ms" "xhr-polling" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "disabled" " +0ms" "xdr-polling" bundle.js:6534:8
10:05:14.304 "sockjs-client:utils:transport " "enabled" " +0ms" "iframe-xhr-polling" bundle.js:6534:8
10:05:14.305 "sockjs-client:utils:transport " "enabled" " +1ms" "jsonp-polling" bundle.js:6534:8
10:05:14.305 "sockjs-client:main " "8 enabled transports" " +0ms" bundle.js:6534:8
10:05:14.305 "sockjs-client:main " "attempt" " +0ms" "websocket" bundle.js:6534:8
10:05:14.306 "sockjs-client:main " "using timeout" " +1ms" 2824 bundle.js:6534:8
10:05:14.306 "sockjs-client:main " "transport url" " +0ms" "http://localhost:12540/websocket/904/cnxo0ou0" bundle.js:6534:8
10:05:14.306 "sockjs-client:websocket " "enabled" " +0ms" bundle.js:6534:8
10:05:14.306 "sockjs-client:websocket " "constructor" " +0ms" "http://localhost:12540/websocket/904/cnxo0ou0" bundle.js:6534:8
10:05:14.307 "sockjs-client:browser:xhr " "cleanup" " +1ms" bundle.js:6534:8
10:05:14.369 GET http://localhost:12540/websocket/904/cnxo0ou0/websocket [HTTP/1.1 101 Switching Protocols 7ms]
10:05:14.418 "sockjs-client:websocket " "message event" " +111ms" "o" bundle.js:6534:8
10:05:14.419 "sockjs-client:main " "_transportMessage" " +1ms" "o" bundle.js:6534:8
10:05:14.419 "sockjs-client:main " "_open" " +0ms" "websocket" 0 bundle.js:6534:8
10:05:14.420 "sockjs-client:main " "connected" " +1ms" "websocket" bundle.js:6534:8
10:05:39.323 "sockjs-client:websocket " "message event" " +25s" "h" bundle.js:6534:8
10:05:39.324 "sockjs-client:main " "_transportMessage" " +1ms" "h" bundle.js:6534:8
10:05:39.324 "sockjs-client:main " "heartbeat" " +0ms" "websocket" bundle.js:6534:8

Request headers

GET /websocket/info?t=1429603513946 HTTP/1.1
Host: localhost:12540
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/index.html
Origin: http://localhost:8080
Connection: keep-alive

Response headers

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
access-control-allow-origin: http://localhost:8080
Vary: Origin
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: application/json; charset=UTF-8
Date: Tue, 21 Apr 2015 08:05:14 GMT
Connection: keep-alive
Transfer-Encoding: chunked

[brycekahle]

@3rd-Eden Are you saying that Access-Control-Allow-Origin should be null whenever Origin is null?

[brycekahle]

It seems this behavior was intentional (see b2081aa). Was @majek mistaken?

[3rd-Eden]

@brycekahle Yes, it should respond with null. I think he was mistaken as it clearly breaks the CORS specification as * origins can never be used for credential requests. If the fix was to support PhoneCrap then the uses should be advised to whitelist their domains as this will cause a correct Origin header to be set.

[ivan-kleshnin]

Any news why this will be released as 0.3.16?

[brycekahle]

@ivan-kleshnin I just got back from holiday. I will do a release this week and ping you when it happens.

[KyleAMathews]

@brycekahle hey, has this been released? CORS in webpack-dev-server is broken right now webpack/webpack-dev-server#277

[brycekahle]

@KyleAMathews not yet, sorry. I'll do my best to get it out this evening.

[KyleAMathews]

💯
On Mon, Feb 8, 2016 at 4:05 PM Bryce Kahle notifications@github.com wrote:

@KyleAMathews https://github.com/KyleAMathews not yet, sorry. I'll do
my best to get it out this evening.

—
Reply to this email directly or view it on GitHub
#177 (comment).

[brycekahle]

@KyleAMathews sorry I haven't released this yet. Work has been crazy because we just launched a product.

[garrettmaring]

Update? 🤓

[genffy]

may this condition still in sockjs-client v1.0.3

[brycekahle]

@ivan-kleshnin @KyleAMathews @garrettmaring @genffy I just published sockjs-node 0.3.16. Sorry about the major delay.

[garrettmaring]

@brycekahle Is this confirmed to be working? Which commit could I take a look at (only saw README update one)?

[brycekahle]

@garrettmaring 7c8bfd2