Permalink
Fetching contributors…
Cannot retrieve contributors at this time
73 lines (51 sloc) 4.08 KB

Cross-Origin Resource Sharing (CORS)

CORS is a mechanism that allows browser scripts on pages served from other domains (e.g. myothersite.com) to talk to your server (e.g. api.mysite.com). Like JSONP, the goal of CORS is to circumvent the same-origin policy; allowing your Sails server to successfully respond to requests from client-side JavaScript code running on a page hosted from some other domain. But unlike JSONP, it works with more than just GET requests. And it allows you to whitelist particular origins (staging.yoursite.com or yourothersite.net) and prevent requests from others (evil.com).

Sails can be configured to allow cross-origin requests from a list of domains you specify, or from every domain. This can be done on a per-route basis, or globally for every route in your app.

Enabling CORS

For security reasons, CORS is disabled by default in Sails. But enabling it is dead-simple.

To allow cross-origin requests from a whitelist of trusted domains to any route in your app, simply enable allRoutes and provide an origin setting in config/security.js:

cors: {
  allRoutes: true,
  allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888']
}

To allow cross-origin requests from any domain to any route in your app, use allowOrigins: '*':

cors: {
  allRoutes: true,
  allowOrigins: '*',
  allowCredentials: false
}

Note that when using allowOrigins: '*', the credentials setting must be false, meaning that requests containing cookies will be blocked. This restriction exists to prevent third-party sites from being able to trick your logged-in users into making unauthorized requests to your app. You can lift this restriction (at your own risk!) using the allowAnyOriginWithCredentialsUnsafe setting.

See sails.config.security.cors for a comprehensive reference of all available options.

Configuring CORS For individual routes

Besides the global CORS configuration in config/security.js, you can also configure these settings on a per-route basis in config/routes.js.

If you set allRoutes: true in config/security.js, but you want to exempt a specific route, set the cors: false in the route's target:

'POST /signup': {
   action: 'user/signup',
   cors: false
}

To enable or override global CORS configuration for a particular route, provide cors as a dictionary:

'GET /videos': {
   action: 'video/find',
   cors: {
     allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888'],
     allowCredentials: false
   }
}

Notes

  • CORS support is only relevant for HTTP requests. Requests made via sockets are not subject to cross-origin restrictions. To ensure that your app is secure via sockets, configure the onlyAllowOrigins setting (typically in config/env/production.js.
  • CORS is not supported in Internet Explorer 7. Fortunately, it is supported in IE8 and up, as well as in all other modern browsers.
  • Read more about CORS from MDN
  • Read the CORS spec