Skip to content

Commit

Permalink
fix: do not overwrite CORS headers upon error
Browse files Browse the repository at this point in the history 
The Access-Control-Allow-xxx headers added by the cors middleware were
overwritten when sending an error response.

Those lines should have been removed in [1].

[1]: 61b9492

Related: #605
  • Loading branch information
@darrachequesne
darrachequesne committed Oct 21, 2020
1 parent f9c0e74 commit fe093ba
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 44 deletions.
6 changes: 0 additions & 6 deletions lib/server.js
View file
Expand Up @@ -475,12 +475,6 @@ function sendErrorMessage(req, res, code) {
);
return;
}
if (req.headers.origin) {
headers["Access-Control-Allow-Credentials"] = "true";
headers["Access-Control-Allow-Origin"] = req.headers.origin;
} else {
headers["Access-Control-Allow-Origin"] = "*";
}
if (res !== undefined) {
res.writeHead(400, headers);
res.end(
Expand Down
62 changes: 24 additions & 38 deletions test/server.js
View file
Expand Up @@ -33,7 +33,6 @@ describe("server", function() {
expect(res.status).to.be(400);
expect(res.body.code).to.be(0);
expect(res.body.message).to.be("Transport unknown");
expect(res.header["access-control-allow-origin"]).to.be("*");
done();
});
});
Expand All @@ -51,12 +50,6 @@ describe("server", function() {
expect(res.status).to.be(400);
expect(res.body.code).to.be(0);
expect(res.body.message).to.be("Transport unknown");
expect(res.header["access-control-allow-credentials"]).to.be(
"true"
);
expect(res.header["access-control-allow-origin"]).to.be(
"http://engine.io"
);
done();
});
});
Expand All @@ -73,12 +66,6 @@ describe("server", function() {
expect(res.status).to.be(400);
expect(res.body.code).to.be(1);
expect(res.body.message).to.be("Session ID unknown");
expect(res.header["access-control-allow-credentials"]).to.be(
"true"
);
expect(res.header["access-control-allow-origin"]).to.be(
"http://engine.io"
);
done();
});
});
Expand All @@ -101,12 +88,6 @@ describe("server", function() {
expect(res.status).to.be(403);
expect(res.body.code).to.be(4);
expect(res.body.message).to.be("Thou shall not pass");
expect(res.header["access-control-allow-credentials"]).to.be(
undefined
);
expect(res.header["access-control-allow-origin"]).to.be(
undefined
);
done();
});
}
Expand Down Expand Up @@ -488,25 +469,30 @@ describe("server", function() {
});

it("should disallow bad requests", function(done) {
listen(function(port) {
request
.get("http://localhost:%d/engine.io/default/".s(port))
.set("Origin", "http://engine.io")
.query({ transport: "websocket" })
.end(function(err, res) {
expect(err).to.be.an(Error);
expect(res.status).to.be(400);
expect(res.body.code).to.be(3);
expect(res.body.message).to.be("Bad request");
expect(res.header["access-control-allow-credentials"]).to.be(
"true"
);
expect(res.header["access-control-allow-origin"]).to.be(
"http://engine.io"
);
done();
});
});
listen(
{
cors: { credentials: true, origin: "http://engine.io" }
},
function(port) {
request
.get("http://localhost:%d/engine.io/default/".s(port))
.set("Origin", "http://engine.io")
.query({ transport: "websocket" })
.end(function(err, res) {
expect(err).to.be.an(Error);
expect(res.status).to.be(400);
expect(res.body.code).to.be(3);
expect(res.body.message).to.be("Bad request");
expect(res.header["access-control-allow-credentials"]).to.be(
"true"
);
expect(res.header["access-control-allow-origin"]).to.be(
"http://engine.io"
);
done();
});
}
);
});

it("should send a packet along with the handshake", function(done) {
Expand Down

0 comments on commit fe093ba

Please sign in to comment.