feat(origin): pass req in to cors logic

[toddtarsi]

Allows for an escape-hatch to do unusual CORS checks, whether using the user-agent header or w/e.
This is helpful when using an XHR API from outside the browser (app sandbox, wherever) and trying to pass CORS.

[dougwilson]

Since there are no tests or documentation included, can you provide more details on your specific use-case, including an example of how you are going to specifically use this?

[toddtarsi]

Yeah. For my particular use-case, I use the Cordova tooling, and on iOS, my requests are stuck coming from localhost. Now, trying to get the Origin right in the Cordova app is basically not doable.

They recommend using a proxy, and I'd really not like to have an iframe of the actual site in my cordova app. They also recommend some native xhr plugin, but I don't see how that's fixing the origin header.

https://hackernoon.com/a-practical-solution-for-cors-cross-origin-resource-sharing-issues-in-ionic-3-and-cordova-2112fc282664

However, there's a pretty nice header that can be driven from Cordova, and that is user-agent. So, I plan to make a custom user-agent, and to basically pass the whitelist if the user-agent exactly matches that user-agent.

[dougwilson]

Thank you for that information, but I guess maybe if I describe what I'm trying to do, it would help: I'm trying to write the documentation and tests around this. I'm sure your description makes sense to you, but it sounds like a high level description. How would you, specifically, use this change to work with what you described? Like can you show the code you would be putting into your app given this change to support the problem you described above?

[toddtarsi]

This is what that code would look like in a microcosm:

(origin, done, req) => {
  if (req.headers['user-agent'] === 'NO_CORS') return done(null, true);
  const fail = () => done('Origin disallowed');
  const allowedDomains = [domain1, domain2];
  if (!allowedDomains.includes(origin)) return fail();
  return done(null, true);
}

Also, thank you for the awesome repo, and let me know if I can help with this in any other ways.

[dougwilson]

Since the User-Agent header is allowed to be set by any website (https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name) your example would effectively allow any site to access your API, in which case a origin: true setting would be simpler to implement and work just the same.

[toddtarsi]

@dougwilson - Well shit. That blows a hole in that plan there. Thanks for the heads up on that! I don't want to give up on this avenue fully yet, because if I can set something from the app config that is forbidden to touch in browser, then that seems like the right course here. However, if you'd like, I can close this PR, and re-open it if I figure out a bit more.

[toddtarsi]

@dougwilson - Closing this, thanks for the great repo.