Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Difference in CORS OPTIONS Response between Nuxt and Nitro Server Routes #22512

Closed
samydoesit opened this issue Aug 6, 2023 · 2 comments · Fixed by #23995
Closed

Difference in CORS OPTIONS Response between Nuxt and Nitro Server Routes #22512

samydoesit opened this issue Aug 6, 2023 · 2 comments · Fixed by #23995
Assignees
@danielroe
Labels
3.x bug 🔨 p3-minor-bug vite

Comments

@samydoesit
Copy link
Contributor

samydoesit commented Aug 6, 2023
edited

Environment

  • Operating System: Darwin
  • Node Version: v18.16.0
  • Nuxt Version: 3.8.0
  • Nitro Version: 2.7.0
  • Package Manager: pnpm@7.29.3
  • Builder: vite
  • User Config: devtools

Reproduction

https://github.com/samydoesit/repro-nuxt-cors-options

Run nuxt (pnpm dev:nuxt) or nitro (pnpm dev:nitro) and send a cors options request to the http://localhost:3000/test endpoint.

In the nuxt response, the Access-Control-Allow-Credentials header is missing, and the Access-Control-Allow-Origin header is incorrectly set to *, disregarding the actual origin.

The Nitro response behaves as expected, including the Access-Control-Allow-Credentials header and correctly setting the Access-Control-Allow-Origin header to the actual origin.

It looks like in nuxt context the event handler is not called for the cors options request.

httppie request:

http --follow --all OPTIONS :3000/test \
Origin:'protocol://test'

curl request:

curl -I -X OPTIONS http://localhost:3000/test

Wrong Nuxt Response

HTTP/1.1 204 No Content
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 0
Date: Wed, 25 Oct 2023 17:58:02 GMT
Keep-Alive: timeout=5
Vary: Access-Control-Request-Headers

Correct Nitro Response

HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: protocol://test
connection: close
content-length: 4
content-type: text/html
date: Wed, 25 Oct 2023 17:59:01 GMT
vary: origin

TEST

Describe the bug

I'm facing an issue when testing CORS preflight (OPTIONS) requests in a local development environment using Nuxt and Nitro. When sending a CORS OPTIONS request to the http://localhost:3000/test endpoint, the responses differ between the two.

It seems that within the Nuxt context, the event handler isn't being triggered for CORS OPTIONS requests.

Additional context

Event Handler

unjs/nitro#1095 (comment)

export default defineEventHandler((event) => {
  setResponseHeader(event, 'x-custom', '123');
  setResponseHeader(event, 'access-control-allow-credentials', 'true');
  setResponseHeader(event, 'access-control-allow-origin', 'protocol://test');

  return {
    body: 'OK',
  }
})

Logs

No response
@danielroe
Copy link
Member

Let me know if unjs/nitro#1095 (comment) helps. If so, then this is likely a dev-only issue caused by the vite server.

@danielroe danielroe added the vite label Oct 26, 2023
@danielroe danielroe mentioned this issue Oct 26, 2023
Closed
@samydoesit
Copy link
Contributor Author

This helps and solves the problem, thanks.

@danielroe danielroe reopened this Oct 27, 2023
@danielroe danielroe self-assigned this Oct 27, 2023
@danielroe danielroe mentioned this issue Oct 28, 2023
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielroe danielroe

Labels
3.x bug 🔨 p3-minor-bug vite
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(vite): use h3 cors handler for vite routes only nuxt/nuxt
2 participants
@samydoesit @danielroe