compliance to the standards

[pangoyal]

was comparing the middleware's working with the w3c recommendations here https://www.w3.org/TR/cors/

seems like we are missing some cases. eg.

If the Origin header is not present terminate this set of steps. The request is outside the scope of this specification.

If the value of the Origin header is not a case-sensitive match for any of the values in list of origins do not set any additional headers and terminate this set of steps.

If there is no Access-Control-Request-Method header or if parsing failed, do not set any additional headers and terminate this set of steps

[dougwilson]

Hi @pkjg you're absolutely correct. Feel free to work on a pull request to help bring it up to spec :) !

[pangoyal]

sure. although my main concern is that the changed behavior might break many products as this package is quite a famous one.

[dougwilson]

Hi @pkjg that is definitely a concern, but I figured that you didn't share the concern, since you opened the issue. If you're concerned about that, what idea(s) do you have for resolving this issue? I assume you opened it to achieve something?

[pangoyal]

I needed to implement CORS for the project I am working on, was looking for a middleware, stumbled on this, but lacked compliance so, ended up wiring up myself. I will add that logic to this too and raise a PR (when I get time). We can close the issue for the time being. Its upto the maintainer to merge breaking change or not.

[dougwilson]

The Corser module (https://www.npmjs.com/package/corser) is the main one with 100% spec compliance for Express AFAIK.

[dijonkitchen]

@pkjg any update on a PR for this?

[e-l-i-s-e]

Looks like this issue has been inactive for a while so I'm going to close it. Happy to reopen any time.

[jub0bs]

For information, the current spec for CORS can be found in the Fetch standard, which is less prescriptive than the original W3C standard was about how servers ought to implement CORS.

[jonchurch]

Does that spec change how servers should behave though? It specifies CORS in the context of browsers sending requests.

I haven't read the whole Fetch standard, so Im genuinely asking if it has affordances or changes that impact how CORS should be handled by servers.

[jub0bs]

@jonchurch You're right that the Fetch standard mainly focuses on browsers; however, it does contain some guidelines about how servers can/should implement CORS. In particular, see this passage:

Ultimately server developers have a lot of freedom in how they handle HTTP responses and these tactics can differ between the response to the CORS-preflight request and the CORS request that follows it:

• They can provide a static response. This can be helpful when working with caching intermediaries. A static response can both be successful and not successful depending on the CORS request. This is okay.
• They can provide a dynamic response, tuned to CORS request. This can be helpful when the response body is to be tailored to a specific origin or a response needs to have credentials and be successful for a set of origins.

Another example is the section entitled CORS protocol and HTTP caches.

In comparison, the old W3C standard contained "normative requirements" that were much stricter about how servers ought to implement CORS:

Servers MUST use the following set of steps to determine which additional headers to use in the response:

1. If the value of the Origin header is not a case-sensitive match for any of the values in list of origins do not set any additional headers and terminate this set of steps.

   • Always matching is acceptable since the list of origins can be unbounded.

2. Let method be the value as result of parsing the Access-Control-Request-Method header.

   • If there is no Access-Control-Request-Method header or if parsing failed, do not set any additional headers and terminate this set of steps.

[...]

I've argued elsewhere that those normative requirements actually were too strict and likely contributed to how hard troubleshooting CORS issues remains to this day with most CORS libraries.