[revert] Allow configuration of Access-Control-Allow-Origin value (#511)

This reverts commit ebf1a96.

Related: #3381

Author: darrachequesne

README.md

@@ -228,7 +228,6 @@ to a single process.
       - `maxHttpBufferSize` (`Number`): how many bytes or characters a message
         can be, before closing the session (to avoid DoS). Default
         value is `10E7`.
-      - `origins` (`String`): the allowed origins (`*`)
       - `allowRequest` (`Function`): A function that receives a given handshake
         or upgrade request as its first parameter, and can decide whether to
         continue or not. The second argument is a function that needs to be

lib/server.js

@@ -45,7 +45,6 @@ function Server (opts) {
   this.allowUpgrades = false !== opts.allowUpgrades;
   this.allowRequest = opts.allowRequest;
   this.cookie = false !== opts.cookie ? (opts.cookie || 'io') : false;
-  this.origins = opts.origins || '*';
   this.cookiePath = false !== opts.cookiePath ? (opts.cookiePath || '/') : false;
   this.cookieHttpOnly = false !== opts.cookieHttpOnly;
   this.perMessageDeflate = false !== opts.perMessageDeflate ? (opts.perMessageDeflate || true) : false;
@@ -222,7 +221,7 @@ Server.prototype.handleRequest = function (req, res) {
   var self = this;
   this.verify(req, false, function (err, success) {
     if (!success) {
-      self.sendErrorMessage(req, res, err);
+      sendErrorMessage(req, res, err);
       return;
     }
 
@@ -243,7 +242,7 @@ Server.prototype.handleRequest = function (req, res) {
  * @api private
  */
 
-Server.prototype.sendErrorMessage = function (req, res, code) {
+function sendErrorMessage (req, res, code) {
   var headers = { 'Content-Type': 'application/json' };
 
   var isForbidden = !Server.errorMessages.hasOwnProperty(code);
@@ -255,21 +254,20 @@ Server.prototype.sendErrorMessage = function (req, res, code) {
     }));
     return;
   }
-
-  headers['Access-Control-Allow-Origin'] = this.origins;
-  headers['Vary'] = 'Origin';
   if (req.headers.origin) {
     headers['Access-Control-Allow-Credentials'] = 'true';
+    headers['Access-Control-Allow-Origin'] = req.headers.origin;
+  } else {
+    headers['Access-Control-Allow-Origin'] = '*';
   }
-
   if (res !== undefined) {
     res.writeHead(400, headers);
     res.end(JSON.stringify({
       code: code,
       message: Server.errorMessages[code]
     }));
   }
-};
+}
 
 /**
  * generate a socket id.
@@ -295,12 +293,9 @@ Server.prototype.handshake = function (transportName, req) {
   var id = this.generateId(req);
 
   debug('handshaking client "%s"', id);
-  var opts = {
-    origins: this.origins
-  };
 
   try {
-    var transport = new transports[transportName](req, opts);
+    var transport = new transports[transportName](req);
     if ('polling' === transportName) {
       transport.maxHttpBufferSize = this.maxHttpBufferSize;
       transport.httpCompression = this.httpCompression;
@@ -314,7 +309,7 @@ Server.prototype.handshake = function (transportName, req) {
       transport.supportsBinary = true;
     }
   } catch (e) {
-    this.sendErrorMessage(req, req.res, Server.errors.BAD_REQUEST);
+    sendErrorMessage(req, req.res, Server.errors.BAD_REQUEST);
     return;
   }
   var socket = new Socket(id, this, transport, req);
@@ -408,10 +403,7 @@ Server.prototype.onWebSocket = function (req, socket) {
       // transport error handling takes over
       socket.removeListener('error', onUpgradeError);
 
-      var opts = {
-        origins: this.origins
-      };
-      var transport = new transports[req._query.transport](req, opts);
+      var transport = new transports[req._query.transport](req);
       if (req._query && req._query.b64) {
         transport.supportsBinary = false;
       } else {

lib/transport.js

@@ -26,14 +26,12 @@ function noop () {}
  * Transport constructor.
  *
  * @param {http.IncomingMessage} request
- * @param {Object} opts allows the origins option to be passed along
  * @api public
  */
 
-function Transport (req, opts) {
+function Transport (req) {
   this.readyState = 'open';
   this.discarded = false;
-  this.origins = opts.origins;
 }
 
 /**

lib/transports/index.js

@@ -27,10 +27,10 @@ exports.polling.upgradesTo = ['websocket'];
  * @api private
  */
 
-function polling (req, opts) {
+function polling (req) {
   if ('string' === typeof req._query.j) {
-    return new JSONP(req, opts);
+    return new JSONP(req);
   } else {
-    return new XHR(req, opts);
+    return new XHR(req);
   }
 }

lib/transports/polling-jsonp.js

@@ -21,8 +21,8 @@ module.exports = JSONP;
  * @api public
  */
 
-function JSONP (req, opts) {
-  Polling.call(this, req, opts);
+function JSONP (req) {
+  Polling.call(this, req);
 
   this.head = '___eio[' + (req._query.j || '').replace(/[^0-9]/g, '') + '](';
   this.foot = ');';

lib/transports/polling-xhr.js

@@ -18,8 +18,8 @@ module.exports = XHR;
  * @api public
  */
 
-function XHR (req, opts) {
-  Polling.call(this, req, opts);
+function XHR (req) {
+  Polling.call(this, req);
 }
 
 /**
@@ -58,10 +58,11 @@ XHR.prototype.onRequest = function (req) {
 XHR.prototype.headers = function (req, headers) {
   headers = headers || {};
 
-  headers['Access-Control-Allow-Origin'] = this.origins;
-  headers['Vary'] = 'Origin';
   if (req.headers.origin) {
     headers['Access-Control-Allow-Credentials'] = 'true';
+    headers['Access-Control-Allow-Origin'] = req.headers.origin;
+  } else {
+    headers['Access-Control-Allow-Origin'] = '*';
   }
 
   return Polling.prototype.headers.call(this, req, headers);

lib/transports/polling.js

@@ -27,8 +27,8 @@ module.exports = Polling;
  * @api public.
  */
 
-function Polling (req, opts) {
-  Transport.call(this, req, opts);
+function Polling (req) {
+  Transport.call(this, req);
 
   this.closeTimeout = 30 * 1000;
   this.maxHttpBufferSize = null;

lib/transports/websocket.js

@@ -21,8 +21,8 @@ module.exports = WebSocket;
  * @api public
  */
 
-function WebSocket (req, opts) {
-  Transport.call(this, req, opts);
+function WebSocket (req) {
+  Transport.call(this, req);
   var self = this;
   this.socket = req.websocket;
   this.socket.on('message', this.onData.bind(this));

test/server.js

@@ -58,7 +58,7 @@ describe('server', function () {
             expect(res.body.code).to.be(0);
             expect(res.body.message).to.be('Transport unknown');
             expect(res.header['access-control-allow-credentials']).to.be('true');
-            expect(res.header['access-control-allow-origin']).to.be('*');
+            expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
             done();
           });
       });
@@ -75,7 +75,7 @@ describe('server', function () {
             expect(res.body.code).to.be(1);
             expect(res.body.message).to.be('Session ID unknown');
             expect(res.header['access-control-allow-credentials']).to.be('true');
-            expect(res.header['access-control-allow-origin']).to.be('*');
+            expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
             done();
           });
       });
@@ -416,7 +416,7 @@ describe('server', function () {
             expect(res.body.code).to.be(3);
             expect(res.body.message).to.be('Bad request');
             expect(res.header['access-control-allow-credentials']).to.be('true');
-            expect(res.header['access-control-allow-origin']).to.be('*');
+            expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
             done();
           });
       });
@@ -932,7 +932,7 @@ describe('server', function () {
     it('should trigger transport close before open for ws', function (done) {
       var opts = { transports: ['websocket'] };
       listen(opts, function (port) {
-        var url = 'ws://%s:%d'.s('0.0.0.0', port);
+        var url = 'ws://%s:%d'.s('0.0.0.50', port);
         var socket = new eioc.Socket(url);
         socket.on('open', function () {
           done(new Error('Test invalidation'));
@@ -2589,7 +2589,7 @@ describe('server', function () {
 
   describe('cors', function () {
     it('should handle OPTIONS requests', function (done) {
-      listen({handlePreflightRequest: true, origins: 'engine.io:*'}, function (port) {
+      listen({handlePreflightRequest: true}, function (port) {
         request.options('http://localhost:%d/engine.io/default/'.s(port))
           .set('Origin', 'http://engine.io')
           .query({ transport: 'polling' })
@@ -2599,7 +2599,7 @@ describe('server', function () {
             expect(res.body.code).to.be(2);
             expect(res.body.message).to.be('Bad handshake method');
             expect(res.header['access-control-allow-credentials']).to.be('true');
-            expect(res.header['access-control-allow-origin']).to.be('engine.io:*');
+            expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
             done();
           });
       });
@@ -2624,7 +2624,7 @@ describe('server', function () {
         var headers = {};
         if (req.headers.origin) {
           headers['Access-Control-Allow-Credentials'] = 'true';
-          headers['Access-Control-Allow-Origin'] = '*';
+          headers['Access-Control-Allow-Origin'] = req.headers.origin;
         } else {
           headers['Access-Control-Allow-Origin'] = '*';
         }
@@ -2642,7 +2642,7 @@ describe('server', function () {
             expect(res.status).to.be(200);
             expect(res.body).to.be.empty();
             expect(res.header['access-control-allow-credentials']).to.be('true');
-            expect(res.header['access-control-allow-origin']).to.be('*');
+            expect(res.header['access-control-allow-origin']).to.be('http://engine.io');
             expect(res.header['access-control-allow-methods']).to.be('GET,HEAD,PUT,PATCH,POST,DELETE');
             expect(res.header['access-control-allow-headers']).to.be('origin, content-type, accept');
             done();