No CORS Headers

[Nuli-byte]

Bug report

Required System information

• Node.js version: v16.17.0
• NPM version: 6.14.17
• Strapi version: 4.3.8
• Database: SQLite
• Operating system: Windows 10

Describe the bug

There is no CORS headers when i request the api.

Steps to reproduce the behavior

1. Launch "npx create-strapi-app@latest strapi-4.3.8 --no-run"
2. Change the port ".env" to 3000
3. Start the app in developpement mode and add content
4. Request the API

Expected behavior

By default (from the documentation), there should be an "access-control-allow-origin : '*'" header.

Screenshots

[majjikishore007]

Hi, @kasonde is this issue still there? if not resolved, can I work on this

[davidenke]

Hi, @kasonde is this issue still there? if not resolved, can I work on this

@majjikishore007 I'm having this issue as well, running 4.3.9 locally. Checked with Postman.

[CleberRossi]

I think this problem is because of how koa/js handles requests with missing Origin header.

I just opened a PullRequest for Koarjs/cors in order to fix the call for options handlers, even if Origin header is not sent. Follow req: https://www.rfc-editor.org/rfc/rfc6454#section-7.3

I Believie I'll fix this Koa/js Issue:
koajs/cors#18

After fixing it - If my Fix is right - I think we will need to check the default credentials true and allow with '*' as default. I am not sure if all request should have default credentials as true:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

To correct this problem on the client side, ensure that the credentials flag's value is false when issuing your CORS request.

If the request is being issued using XMLHttpRequest, make sure you're not setting withCredentials to true.
If using Server-sent events, make sure EventSource.withCredentials is false (it's the default value).
If using the Fetch API, make sure Request.credentials is "omit".
If, instead, you need to adjust the server's behavior, you'll need to change the value of Access-Control-Allow-Origin to grant access to the origin from which the client is loaded.

In order to FIX

• Wait if Koa/js PR is merged
• If so, set default credentials as false on strapi and origin to '*'
• Permit, if not is already, credentials to be overloaded as true

[CleberRossi]

@Nuli-byte @davidenke

In order to prioritize security, I left credentials as true as default. This means that the api will not responde with ´*' , as default, despite the configuration is.
We need to undestand that the default behavior is following Cors protocol and the default configuration is being followed.

Now, you guys have the possibility to set credentials as false and, even though origin is not being set on request header, you will see Access-Control-Allow-Origin as '*' as response.

How to set Access-Control-Allow-Origin as '*' ?

Set credentials as false on config/middlewares.js, call any API in order to retrive Access-Control-Allow-Origin as '*' as DEFAULT.

{
    name: 'strapi::cors',
    config: {
      credentials: false,
    },
  },