How to add specific urls to cors?

[CristobalSoto]

I need to login from a different app, Im using cors middleware to be able to access the blitz app endpoints but when I put the credentials 'include' I get the error that the Access-Control-Allow-Origin header should not be with wildcard (*), I suppose that is what is set when I add the cors middleware so what is the best way to do this because if I use the cors middleware I cant use the credencials include apparently....

[MrLeebo]

If permitting more than one origin in your CORS configuration, your middleware options should look like this example: https://www.npmjs.com/package/cors#configuring-cors-w-dynamic-origin set up an array with the specific origins you are permitting:

var whitelist = ['http://example1.com', 'http://example2.com']
var corsOptions = {
  origin: function (origin, callback) {
    if (whitelist.indexOf(origin) !== -1) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  }
}

The reason you don't want to pair credentials: 'include' with Access-Control-Allow-Origin: * is because that would allow any website your users visit (or one that a bad guy has injected code onto) to take advantage of your session cookie to make authenticated requests to the app without your user's knowledge or consent.

[CristobalSoto]

I am using cors middleware provided by blitz https://blitzjs.com/docs/api-routes#connect-express-middleware-support
how I do that with this middleware?

[MrLeebo]

Everything is the same. You're just adding the origin option when you initialize the middleware.

import Cors from "cors"

// Initializing the cors middleware
const cors = Cors({
  methods: ["GET", "HEAD"],
  origin: (origin, callback) => {
    // ...
  }
})

Both links refer to the same middleware.