fix: don't allow credentials when all origins allowed (#47)

* fix(security): don't set access-control-allow-credentials header when access-control-allow-origin = * * docs: fix error in sample usage `access-control-allow-origin` header cannot return multiple origins. Middleware doesn't do that either.
schibsted · Aug 26, 2021 · 19a37d1 · 19a37d1
1 parent d3eed32
commit 19a37d1
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -49,7 +49,7 @@ handler({}, {}, (_, response) => {
   expect(response).toEqual({
     statusCode: 200,
     headers: {
-        'access-control-allow-origin': 'https://www.vg.no, https://www.tek.no',
+        'access-control-allow-origin': 'https://www.vg.no',
     },
     body: JSON.stringify({ foo: 'bar' }),
   })

diff --git a/index.js b/index.js
@@ -22,7 +22,7 @@ const getCorsHeaders = (
         }
     }
 
-    if (credentials !== undefined) {
+    if (credentials && !R.includes('*', allowedOrigins)) {
         headers['access-control-allow-credentials'] = credentials;
     }
 

diff --git a/index.test.js b/index.test.js
@@ -139,7 +139,6 @@ test('Adds CORS headers on success when all origins allowed', async () => {
     expect(response).toEqual({
         statusCode: 200,
         headers: {
-            'access-control-allow-credentials': true,
             'access-control-allow-headers': 'Content-Type, Accept, X-Forwarded-For',
             'access-control-allow-methods': 'GET, POST',
             'access-control-allow-origin': 'https://www.tek.no',
@@ -251,7 +250,6 @@ test('Adds CORS headers on error when all origins allowed', async () => {
         )
     ).resolves.toMatchObject({
         headers: {
-            'access-control-allow-credentials': true,
             'access-control-allow-headers': 'Content-Type, Accept, X-Forwarded-For',
             'access-control-allow-methods': 'GET, POST',
             'access-control-allow-origin': 'https://www.tek.no',