Conditional credentials? #336
Comments
|
Do you have example code you can share for what you're trying to do in your app? You can configure CORS options on a per request basis by passing in a function when setting the middleware up. https://github.com/expressjs/cors#configuring-cors-asynchronously Each request that comes in can get a chance to determine the CORS options which should be used. I can see the need for a function for credentials if you don't have the information you need until further down in the handler logic. It would be simpler for sure. But want to understand the usecase here before making every option either a value or a function. |
I was doing something like: cors({
origin: ['a', 'b'],
credentials: true,
});It seemed inconsistent to send
Thanks, this seems adequate. I've ended up with something like: app.use(() => {
const wrapped = cors((req, callback) => {
try {
const { allow, credentials } = getOptions(req);
if(allow) {
callback(null, {
origin: true,
credentials,
methods: 'GET,POST', // keep it simple
maxAge: 86400, // max(firefox, chrome) - see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
});
} else {
callback(null, { origin:false });
}
} catch(err) {
callback(err);
}
});
return (req, res, next) => {
wrapped(req, res, () => {
res.vary(varyHeaderFor(req));
next();
});
};
});
function varyHeaderFor({ method }) {
switch(method) {
case 'OPTIONS': return 'Origin, Access-Control-Request-Headers';
default: return 'Origin';
}
}where The |
Would there be support for configuring the
Access-Control-Allow-Credentialsheader dynamically? It looks like currently the only valid values for thecredentialsconfig option istrue. Allowing a function similar to theoriginoption would allow for settingAccess-Control-Allow-Credentialsbased on the request.The text was updated successfully, but these errors were encountered: