-
Notifications
You must be signed in to change notification settings - Fork 467
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to set Timing-Allow-Origin
#102
Comments
Hi @dcherman Inever heard of that header before, that was a good learning about! Sorry your issue sat here for a while; I'm recently looking after this module so trying to go through everything. That being said, I think that it is out of scope for this module, since it does not fall into the realm of http://www.w3.org/TR/cors/ and there are probably use-cases where someone would want them configured independently. But there is a easy implementation for your desired state: var cors = require('cors')
var onHeaders = require('on-headers')
// ... all your stuff
app.use(function (req, res, next) {
onHeaders(res, function () {
var allowOrigin = res.getHeader('Access-Control-Allow-Origin')
if (allowOrigin) {
res.setHeader('Timing-Allow-Origin', allowOrigin)
}
})
next()
})
app.use(cors()) I hope this helps! |
@dougwilson at the time that you wrote your response over six years ago, In 2019, it was added to the standard (whatwg/fetch#955) and it is currently included in the living CORS standard. Is it worth revisiting the decision not to add support for |
Hi @jmpage yea, it is part of the fetch spec, but still outside of the CORS part of the spec. You can find the CORS part only in section 3.2 of fetch you linked. That entire spec is all of fetch, with CORS on the server side, what this module is, only being section 3.2 . |
Got it and great point, thank you for your feedback, Doug! |
In order to allow the resource timing API to work correctly, the
Timing-Allow-Origin
must be set to allow certain portions of the resource timing API to be used.Can we add an option to allow this header to be set, matching the value reflected for the
Access-Control-Allow-Origin
header?The text was updated successfully, but these errors were encountered: