CORS support for multiple origins

[scottcorgan]

Because we have no access to the request object when setting up cors in the server configuration, I am unable to define multiple authorized origins.

var serverConfig = {
    cors: {
        origin: ['http://localhost:3000', 'http://localhost:8000']
    }
};

var server = new Hapi.Server(port, serverConfig);

If there's another way, can you please provide an example? Thanks so much!

[scottcorgan]

This is my proposed solution to accommodate this feature in Hapi:

// headers.js

exports.cors = function (response, request) {

    if (request.server.settings.cors) {

        // Set the origin
        // * it's a hack for multiple origins for Cors

        var origin = request.raw.req.headers.origin;
            authorizedOrigins = request.server.settings.cors._origin,
            requestOrigin = request.server.settings.cors._origin;

        // Validate the origin's authority

        if (authorizedOrigins.indexOf(origin) > -1) {
            requestOrigin = origin;
        }

        response.header('Access-Control-Allow-Origin', requestOrigin);
        response.header('Access-Control-Max-Age', request.server.settings.cors.maxAge);
        response.header('Access-Control-Allow-Methods', request.server.settings.cors._methods);
        response.header('Access-Control-Allow-Headers', request.server.settings.cors._headers);

        if (request.server.settings.cors.credentials) {
            response.header('Access-Control-Allow-Credentials', 'true');
        }
    }
};

[hueniverse]

Trying to understand the use case. You can define multiple origin values as shows in your code above. Is this an issue with browsers not understanding that part of the spec? Is this about narrowing down the response to just one origin (as long as it is in the list)?

[scottcorgan]

@hueniverse, Thanks for the response. It seems to be about narrowing down the response to just one origin as long as it's in the list. I have several internal apps that will need to access our api. I'd prefer to just use XHR to handle information creation and updating.

Make sense?

[hueniverse]

Sure. Thing. Will be included in the next release.

[scottcorgan]

Awesome, thanks!

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.