CORS middleware not working in Strapi 5.0.0-rc.9

[frontBOI]

Bug report

Required System information

• Node.js version: 18.19.0
• NPM version: 10.8.2
• Strapi version: 5.0.0-rc.9
• Database: sqlite
• Operating system: macos on M1 chip
• Is your project Javascript or Typescript: Typescript

Describe the bug

I have this custom cors configuration in /config/middlewares.ts:

{
    name: 'strapi::cors',
    config: {
      headers: ['accept-language', 'Token', 'Content-Type', 'Authorization', 'Accept', 'Origin', 'Response-Type'],
      origin:
        process.env.NODE_ENV === 'production'
          ? [`https://${process.env.DOMAIN}`, `https://${process.env.STRAPI_DOMAIN}`]
          : [
              'http://127.0.0.1:3000',
              'http://127.0.0.1:1337',
              'http://localhost:3000',
              'http://localhost:1337',
              'https://api.traefik.me',
              'https://docker.traefik.me',
            ],
    },
  }

In a local environment, I get CORS errors on POST request.
Here is what the preflight request gives me:

access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *

As you can see, the origin is not correct and I don't get the access-control-allow-credentials which is mandatory for my use case. But because it is not set, I get this error:

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Why isn't the cors middleware working as expected ? I checked Strapi's source code and the default cors values include this allow credentials header.

A case where it is working

In a local docker environment it works - the preflight request gives me this:

access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Accept,Content-Type,Content-Length,Authorization
access-control-allow-methods: GET,POST,PUT,OPTIONS,HEAD,DELETE
access-control-allow-origin: https://docker.traefik.me

What is the problem with local environment ?

Expected behavior

When I declare a cors middleware custom config, I want it to be taken into account.

Screenshots

The preflight response in localhost that is not working as expected.

[strapi-bot]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/cors-custom-config-not-working-in-strapi-5/40608/2

[derrickmehaffy]

If the browser doesn't send an origin header (which is done automatically) the CORS middleware defaults to *. Origin isn't typically sent in samesite requests or in localhost.

strapi/packages/core/core/src/middlewares/cors.ts

Lines 41 to 43 in 4f54945

	if (!ctx.get('Origin')) {
	return '*';
	}

There could be many reasons why the origin header isn't sent but this isn't an issue with us. If we have no origin header we have nothing to compare to the whitelist.