Allow dynamic import() requests from any origin on any device. #9954
Conversation
|
@call-a3: Thank you for submitting a pull request! Before we can merge it, you'll need to sign the Meteor Contributor Agreement here: https://contribute.meteor.com/ |
packages/dynamic-import/server.js
Outdated
| @@ -66,7 +66,11 @@ function middleware(request, response) { | |||
| response.setHeader("Access-Control-Allow-Origin", "*"); | |||
|
|
|||
| if (request.method === "OPTIONS") { | |||
| response.setHeader("Access-Control-Allow-Headers", "*"); | |||
| if (request.headers["access-control-request-headers"] !== undefined) { | |||
There was a problem hiding this comment.
Do we need to worry about different possible capitalizations when checking for this header?
Also we typically test typeof value === "undefined" rather than relying on the undefined identifier, just because undefined is mutable in some environments.
There was a problem hiding this comment.
No need to worry about capitalization, all keys of headers are lower-cased by node.
packages/dynamic-import/server.js
Outdated
| @@ -66,7 +66,11 @@ function middleware(request, response) { | |||
| response.setHeader("Access-Control-Allow-Origin", "*"); | |||
|
|
|||
| if (request.method === "OPTIONS") { | |||
| response.setHeader("Access-Control-Allow-Headers", "*"); | |||
| if (request.headers["access-control-request-headers"] !== undefined) { | |||
| response.setHeader("Access-Control-Allow-Headers", request.headers["access-control-request-headers"]); | |||
There was a problem hiding this comment.
Especially if we end up having to check for multiple variations of this header, it would be good to store the value in a variable that we could reuse down here.
A tweak to the change introduced in c4b5707 to fix #9952.
This will allow clients that don't support the * value in
Access-Control-Allow-Headers,but do specify the
Access-Control-Request-Headers(such as electron 2.0.2) to use dynamic import.