New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compliance to the standards #114
Comments
Hi @pkjg you're absolutely correct. Feel free to work on a pull request to help bring it up to spec :) ! |
sure. although my main concern is that the changed behavior might break many products as this package is quite a famous one. |
Hi @pkjg that is definitely a concern, but I figured that you didn't share the concern, since you opened the issue. If you're concerned about that, what idea(s) do you have for resolving this issue? I assume you opened it to achieve something? |
I needed to implement CORS for the project I am working on, was looking for a middleware, stumbled on this, but lacked compliance so, ended up wiring up myself. I will add that logic to this too and raise a PR (when I get time). We can close the issue for the time being. Its upto the maintainer to merge breaking change or not. |
The Corser module (https://www.npmjs.com/package/corser) is the main one with 100% spec compliance for Express AFAIK. |
@pkjg any update on a PR for this? |
Looks like this issue has been inactive for a while so I'm going to close it. Happy to reopen any time. |
For information, the current spec for CORS can be found in the Fetch standard, which is less prescriptive than the original W3C standard was about how servers ought to implement CORS. |
Does that spec change how servers should behave though? It specifies CORS in the context of browsers sending requests. I haven't read the whole Fetch standard, so Im genuinely asking if it has affordances or changes that impact how CORS should be handled by servers. |
@jonchurch You're right that the Fetch standard mainly focuses on browsers; however, it does contain some guidelines about how servers can/should implement CORS. In particular, see this passage:
Another example is the section entitled CORS protocol and HTTP caches. In comparison, the old W3C standard contained "normative requirements" that were much stricter about how servers ought to implement CORS:
I've argued elsewhere that those normative requirements actually were too strict and likely contributed to how hard troubleshooting CORS issues remains to this day with most CORS libraries. |
was comparing the middleware's working with the w3c recommendations here https://www.w3.org/TR/cors/
seems like we are missing some cases. eg.
The text was updated successfully, but these errors were encountered: