Skip to content

Add support for having specified domain instead of wildcard #310

Description

@dani2819

What
We have a use case where we want to allow all domains * as origin, but we want library to set exact domain value (req.headers.origin) instead of * in Access-Control-Allow-Origin header.

The use-case comes as we also need to send credentials such as Cookies to the server. And, with * as Access-Control-Allow-Origin, you can't send credentials to the server.

It can be done by adding another option such as exactOriginIfMatches: true:

var corsOptions = {
  origin: '*',
  exactOriginIfMatches: true,
}

Current Behaviour*

var corsOptions = {
  origin: '*',
};

Request comes from http://example.com -> Library sets `Access-Control-Allow-Origin: *`

Proposed Behaviour*

var corsOptions = {
  origin: '*',
  exactOriginIfMatches: true,
};

Request comes from http://example.com -> Library sets `Access-Control-Allow-Origin: http://example.com`

var corsOptions = {
  origin: '*',
  exactOriginIfMatches: false,
};

Request comes from http://example.com -> Library sets `Access-Control-Allow-Origin: *`

In that case, the behaviour will be same but the value of Access-Control-Allow-Origin will be req.headers.origin instead of *. It will be helpful in sending credentials to the server.

Let me know how does it sound? Will be happy to open a PR if that makes sense!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions