hapi v11.0.0 is primarily a rewrite of the CORS implementation. The previous code was both confusing, an incorrect implementation of the protocol, and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. The change removes half the CORS options available and moves the implementation to be truly per-route without any connection-wide catch-all.
Upgrade time: low - no time to a couple of hours for most users
Complexity: low - a bit of search and replace and removal of unsupported configs
Risk: low - low risk of side effects and few changes to keep track of overall
Dependencies: medium - removed the server.after() method
Sponsor
The v11.0.0 major release is sponsored by Sideway.
Breaking Changes
Removed the CORS configuration options: methods, additionalMethods, matchOrigin, isOriginExposed, and override.
Added the 204 HTTP status code to the default list of cached responses.
The qs module no longer parses dot notation names into sub objects by default.
Removed server.after().
Removed id from the 'received' event data (was already available as a generic event property).
New Features
Allow response validation of non-object responses (string, number, etc).
New option to override empty 200 HTTP status responses with 204.
Bug fixes
Fixes multiple issues with CORS, including a few security related.
Updated dependencies
qs from v4.0.0 to v5.2.0
Migration Checklist
CORS
You don't have to change anything if:
not setting the cors route option
using it with the defaults by setting the value to true
not using the cors options: methods, additionalMethods, matchOrigin, isOriginExposed, and override
The main changes are:
CORS preflight headers are now set only on preflight requests and not on resource requests. This means that the methods and additionalMethods options are no longer needed because the preflight response will return the requested method as specified by the protocol. This will ensure other methods which may not allow cross-origin access to be separately configured.
The override flag is no longer needed as the only header which you may manually set at the handler level is Access-Control-Expose-Headers which will be appended to by default. Setting any other CORS headers manually will result in a conflict with the preflight response.
The Access-Control-Allow-Origin header is now always set to the incoming Origin header value. If the incoming value does not match the allowed origins, no CORS headers are set.
Checklist:
Make sure that if you are using the internal CORS feature, you are not setting ANY CORS headers yourself other than optionally Access-Control-Expose-Headers. If you need to set any other header manually, do not use the CORS feature! You will end up with a broken and potentially insecure implementation.
Remove the options no longer supported. There is no need to replace them.
Misc
If you rely on the previous qs query parsing behavior of breaking dot-notation into segments, you must set the allowDots option to true. This is available in route config payload.qs and connection config query.qs.
Replace server.after(method, deps) with server.ext('onPreStart', method, { after: deps }).
If you listen to the request 'received' event, use the event.request value instead of the removed event.data.id value.
The text was updated successfully, but these errors were encountered:
Summary
hapi v11.0.0 is primarily a rewrite of the CORS implementation. The previous code was both confusing, an incorrect implementation of the protocol, and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. The change removes half the CORS options available and moves the implementation to be truly per-route without any connection-wide catch-all.
server.after()methodSponsor
The v11.0.0 major release is sponsored by Sideway.
Breaking Changes
methods,additionalMethods,matchOrigin,isOriginExposed, andoverride.204HTTP status code to the default list of cached responses.server.after().idfrom the'received'event data (was already available as a generic event property).New Features
200HTTP status responses with204.Bug fixes
Updated dependencies
Migration Checklist
CORS
You don't have to change anything if:
corsroute optiontruecorsoptions:methods,additionalMethods,matchOrigin,isOriginExposed, andoverrideThe main changes are:
methodsandadditionalMethodsoptions are no longer needed because the preflight response will return the requested method as specified by the protocol. This will ensure other methods which may not allow cross-origin access to be separately configured.overrideflag is no longer needed as the only header which you may manually set at the handler level is Access-Control-Expose-Headers which will be appended to by default. Setting any other CORS headers manually will result in a conflict with the preflight response.Checklist:
Misc
allowDotsoption totrue. This is available in route configpayload.qsand connection configquery.qs.server.after(method, deps)withserver.ext('onPreStart', method, { after: deps }).'received'event, use theevent.requestvalue instead of the removedevent.data.idvalue.The text was updated successfully, but these errors were encountered: