diff --git a/index.js b/index.js index b3b6038..21efd8b 100644 --- a/index.js +++ b/index.js @@ -48,6 +48,7 @@ const cors = require('./micro-cors.js')({ allowHeaders, exposeHeaders, allowMethods, + allowCredentials: false, origin }) const allow = require('./allow-request.js') @@ -86,6 +87,8 @@ async function service (req, res) { // Don't waste my precious bandwidth return send(res, 403, '') } + + // Handle CORS preflight request if (req.method === 'OPTIONS') { return send(res, 200, '') } @@ -120,4 +123,4 @@ async function service (req, res) { f.body.pipe(res) } -module.exports = cors(service) \ No newline at end of file +module.exports = cors(service) diff --git a/micro-cors.js b/micro-cors.js index ed3200c..a5d9b7b 100644 --- a/micro-cors.js +++ b/micro-cors.js @@ -1,5 +1,6 @@ // MIT License // https://github.com/possibilities/micro-cors +// source: https://github.com/possibilities/micro-cors/pull/42 const DEFAULT_ALLOW_METHODS = [ 'POST', 'GET', @@ -26,11 +27,14 @@ const cors = (options = {}) => handler => (req, res, ...restArgs) => { maxAge = DEFAULT_MAX_AGE_SECONDS, allowMethods = DEFAULT_ALLOW_METHODS, allowHeaders = DEFAULT_ALLOW_HEADERS, + allowCredentials = true, exposeHeaders = [] } = options res.setHeader('Access-Control-Allow-Origin', origin) - res.setHeader('Access-Control-Allow-Credentials', 'true') + if (allowCredentials) { + res.setHeader('Access-Control-Allow-Credentials', 'true') + } if (exposeHeaders.length) { res.setHeader('Access-Control-Expose-Headers', exposeHeaders.join(',')) }