mirror of
https://github.com/honojs/hono.git
synced 2024-11-24 19:26:56 +01:00
fix(cors): avoid setting Access-Control-Allow-Origin
if there is no matching origin (#3510)
This commit is contained in:
parent
331166471c
commit
cebf4e87f3
@ -34,6 +34,12 @@ describe('CORS by Middleware', () => {
|
||||
|
||||
app.use('/api5/*', cors())
|
||||
|
||||
app.use(
|
||||
'/api6/*',
|
||||
cors({
|
||||
origin: 'http://example.com',
|
||||
})
|
||||
)
|
||||
app.use(
|
||||
'/api6/*',
|
||||
cors({
|
||||
@ -83,7 +89,10 @@ describe('CORS by Middleware', () => {
|
||||
})
|
||||
|
||||
it('Preflight with options', async () => {
|
||||
const req = new Request('https://localhost/api2/abc', { method: 'OPTIONS' })
|
||||
const req = new Request('https://localhost/api2/abc', {
|
||||
method: 'OPTIONS',
|
||||
headers: { origin: 'http://example.com' },
|
||||
})
|
||||
const res = await app.request(req)
|
||||
|
||||
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
|
||||
@ -105,6 +114,15 @@ describe('CORS by Middleware', () => {
|
||||
expect(res.headers.get('Access-Control-Allow-Credentials')).toBe('true')
|
||||
})
|
||||
|
||||
it('Disallow an unmatched origin', async () => {
|
||||
const req = new Request('https://localhost/api2/abc', {
|
||||
method: 'OPTIONS',
|
||||
headers: { origin: 'http://example.net' },
|
||||
})
|
||||
const res = await app.request(req)
|
||||
expect(res.headers.has('Access-Control-Allow-Origin')).toBeFalsy()
|
||||
})
|
||||
|
||||
it('Allow multiple origins', async () => {
|
||||
let req = new Request('http://localhost/api3/abc', {
|
||||
headers: {
|
||||
@ -116,7 +134,10 @@ describe('CORS by Middleware', () => {
|
||||
|
||||
req = new Request('http://localhost/api3/abc')
|
||||
res = await app.request(req)
|
||||
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
|
||||
expect(
|
||||
res.headers.has('Access-Control-Allow-Origin'),
|
||||
'An unmatched origin should be disallowed'
|
||||
).toBeFalsy()
|
||||
|
||||
req = new Request('http://localhost/api3/abc', {
|
||||
headers: {
|
||||
@ -124,13 +145,17 @@ describe('CORS by Middleware', () => {
|
||||
},
|
||||
})
|
||||
res = await app.request(req)
|
||||
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
|
||||
expect(
|
||||
res.headers.has('Access-Control-Allow-Origin'),
|
||||
'An unmatched origin should be disallowed'
|
||||
).toBeFalsy()
|
||||
})
|
||||
|
||||
it('Allow different Vary header value', async () => {
|
||||
const res = await app.request('http://localhost/api3/abc', {
|
||||
headers: {
|
||||
Vary: 'accept-encoding',
|
||||
Origin: 'http://example.com',
|
||||
},
|
||||
})
|
||||
|
||||
@ -169,7 +194,11 @@ describe('CORS by Middleware', () => {
|
||||
})
|
||||
|
||||
it('Should not return duplicate header values', async () => {
|
||||
const res = await app.request('http://localhost/api6/abc')
|
||||
const res = await app.request('http://localhost/api6/abc', {
|
||||
headers: {
|
||||
origin: 'http://example.com',
|
||||
},
|
||||
})
|
||||
|
||||
expect(res.headers.get('Access-Control-Allow-Origin')).toBe('http://example.com')
|
||||
})
|
||||
|
@ -68,11 +68,15 @@ export const cors = (options?: CORSOptions): MiddlewareHandler => {
|
||||
|
||||
const findAllowOrigin = ((optsOrigin) => {
|
||||
if (typeof optsOrigin === 'string') {
|
||||
return () => optsOrigin
|
||||
if (optsOrigin === '*') {
|
||||
return () => optsOrigin
|
||||
} else {
|
||||
return (origin: string) => (optsOrigin === origin ? origin : null)
|
||||
}
|
||||
} else if (typeof optsOrigin === 'function') {
|
||||
return optsOrigin
|
||||
} else {
|
||||
return (origin: string) => (optsOrigin.includes(origin) ? origin : optsOrigin[0])
|
||||
return (origin: string) => (optsOrigin.includes(origin) ? origin : null)
|
||||
}
|
||||
})(opts.origin)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user