Fix CORS response when using default wildcard origin#398
Merged
Conversation
…entials Per the CORS spec, the wildcard Access-Control-Allow-Origin: * cannot be combined with Access-Control-Allow-Credentials: true - browsers reject such responses on credentialed requests. The express adapter always sends credentials: true, so the default cors: '*' produced an invalid combination that broke every cross-origin credentialed request in browsers. When cors === '*', pass origin: true to the cors middleware so the request origin is reflected back, preserving the "allow from anywhere" intent while staying spec-compliant with credentials: true. Adds a public-API-only regression test that hits an endpoint with an Origin header and asserts the response does not combine '*' with credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains:
Describe the problem you have without this PR
When the RxDB server is configured with the default
cors: '*'setting, it sends bothAccess-Control-Allow-Origin: *andAccess-Control-Allow-Credentials: truein CORS responses. According to the CORS specification, these two headers cannot be combined—browsers reject such responses for credentialed requests (those with cookies or authorization headers). This causes cross-origin requests with credentials to fail.Solution
Modified the Express adapter's
setCorsfunction to reflect the requestOriginheader back to the client whencorsis set to'*'. This maintains the "allow from anywhere" semantics while remaining compatible with thecredentials: truesetting that the server always sends.The fix:
origin: corstoorigin: cors === '*' ? true : corsin the CORS configurationcorsis'*', the express-cors middleware'sorigin: trueoption automatically reflects the request'sOriginheader backTodos
Test Plan
Added a new unit test
should not combine Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: truethat:Access-Control-Allow-Credentials: trueis presentAccess-Control-Allow-Originis NOT the wildcard*The test confirms the fix resolves the invalid CORS response issue.
@pubkey
https://claude.ai/code/session_019bXsHspdrrMQGtwnuE1cqG