CORS middleware headers get overwritten for error responses

[FabianElsmer]

You want to:

• report a bug
• request a feature

Current behaviour

If an error occurs (e.g. Bad Request) while using the CORS middleware, CORS headers previously set via the middleware get overwritten in sendErrorMessage in the following lines

  if (req.headers.origin) {
    headers["Access-Control-Allow-Credentials"] = "true";
    headers["Access-Control-Allow-Origin"] = req.headers.origin;
  } else {
    headers["Access-Control-Allow-Origin"] = "*";
  }

Steps to reproduce (if the current behaviour is a bug)

1. Start SocketIO Server
2. Trigger a Bad Request (400), e.g. POST without body to the SocketIO Endpoint
3. The response has the wrong CORS headers

curl 'https://domain/socket.io/?EIO=4&transport=polling&t=NL645og&sid=BMdQ8VDOxS8pJa55AAAC' -v
 ...
 < server: nginx/1.17.7
 < date: Tue, 20 Oct 2020 14:56:22 GMT
 < vary: Origin
 < access-control-allow-origin: *

Expected behaviour

CORS headers should only be added by the middleware,
if the middleware is not used, CORS headers should not be set at all.

Setup

• OS: Fedora 32
• browser: Chrome 85
• engine.io version: 4.0.0

Other information (e.g. stacktraces, related issues, suggestions how to fix)

I'm not sure if the CORS headers are overwritten in the code for any particular reason, I would personally remove them (can make a PR).
If error responses have separate fixed CORS header settings for a reason, I would like to comment the function to make it clear this is not just legacy CORS code.

[darrachequesne]

You are right, it's legacy CORS code which should have been removed.

It should be fixed by fe093ba.

[darrachequesne]

Released in 4.0.1

[FabianElsmer]

Awesome 👍
Thanks for the update!