Skip to content

Commit fe093ba

Browse files
darrachequesnedarrachequesne
committed
fix: do not overwrite CORS headers upon error
The Access-Control-Allow-xxx headers added by the cors middleware were overwritten when sending an error response. Those lines should have been removed in [1]. [1]: 61b9492 Related: #605
1 parent f9c0e74 commit fe093ba

File tree

2 files changed

+24
-44
lines changed

2 files changed

+24
-44
lines changed

lib/server.js

-6
Original file line numberDiff line numberDiff line change
@@ -475,12 +475,6 @@ function sendErrorMessage(req, res, code) {
475475
);
476476
return;
477477
}
478-
if (req.headers.origin) {
479-
headers["Access-Control-Allow-Credentials"] = "true";
480-
headers["Access-Control-Allow-Origin"] = req.headers.origin;
481-
} else {
482-
headers["Access-Control-Allow-Origin"] = "*";
483-
}
484478
if (res !== undefined) {
485479
res.writeHead(400, headers);
486480
res.end(

test/server.js

+24-38
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,6 @@ describe("server", function() {
3333
expect(res.status).to.be(400);
3434
expect(res.body.code).to.be(0);
3535
expect(res.body.message).to.be("Transport unknown");
36-
expect(res.header["access-control-allow-origin"]).to.be("*");
3736
done();
3837
});
3938
});
@@ -51,12 +50,6 @@ describe("server", function() {
5150
expect(res.status).to.be(400);
5251
expect(res.body.code).to.be(0);
5352
expect(res.body.message).to.be("Transport unknown");
54-
expect(res.header["access-control-allow-credentials"]).to.be(
55-
"true"
56-
);
57-
expect(res.header["access-control-allow-origin"]).to.be(
58-
"http://engine.io"
59-
);
6053
done();
6154
});
6255
});
@@ -73,12 +66,6 @@ describe("server", function() {
7366
expect(res.status).to.be(400);
7467
expect(res.body.code).to.be(1);
7568
expect(res.body.message).to.be("Session ID unknown");
76-
expect(res.header["access-control-allow-credentials"]).to.be(
77-
"true"
78-
);
79-
expect(res.header["access-control-allow-origin"]).to.be(
80-
"http://engine.io"
81-
);
8269
done();
8370
});
8471
});
@@ -101,12 +88,6 @@ describe("server", function() {
10188
expect(res.status).to.be(403);
10289
expect(res.body.code).to.be(4);
10390
expect(res.body.message).to.be("Thou shall not pass");
104-
expect(res.header["access-control-allow-credentials"]).to.be(
105-
undefined
106-
);
107-
expect(res.header["access-control-allow-origin"]).to.be(
108-
undefined
109-
);
11091
done();
11192
});
11293
}
@@ -488,25 +469,30 @@ describe("server", function() {
488469
});
489470

490471
it("should disallow bad requests", function(done) {
491-
listen(function(port) {
492-
request
493-
.get("http://localhost:%d/engine.io/default/".s(port))
494-
.set("Origin", "http://engine.io")
495-
.query({ transport: "websocket" })
496-
.end(function(err, res) {
497-
expect(err).to.be.an(Error);
498-
expect(res.status).to.be(400);
499-
expect(res.body.code).to.be(3);
500-
expect(res.body.message).to.be("Bad request");
501-
expect(res.header["access-control-allow-credentials"]).to.be(
502-
"true"
503-
);
504-
expect(res.header["access-control-allow-origin"]).to.be(
505-
"http://engine.io"
506-
);
507-
done();
508-
});
509-
});
472+
listen(
473+
{
474+
cors: { credentials: true, origin: "http://engine.io" }
475+
},
476+
function(port) {
477+
request
478+
.get("http://localhost:%d/engine.io/default/".s(port))
479+
.set("Origin", "http://engine.io")
480+
.query({ transport: "websocket" })
481+
.end(function(err, res) {
482+
expect(err).to.be.an(Error);
483+
expect(res.status).to.be(400);
484+
expect(res.body.code).to.be(3);
485+
expect(res.body.message).to.be("Bad request");
486+
expect(res.header["access-control-allow-credentials"]).to.be(
487+
"true"
488+
);
489+
expect(res.header["access-control-allow-origin"]).to.be(
490+
"http://engine.io"
491+
);
492+
done();
493+
});
494+
}
495+
);
510496
});
511497

512498
it("should send a packet along with the handshake", function(done) {

0 commit comments

Comments
 (0)