Skip to content

Commit

Permalink
Merge pull request #277 from bulk88/no_AC_max_age_header_on_get_post_…
Browse files Browse the repository at this point in the history 
…meth

only send Access-Control-Max-Age if preflight request, not POST/GET
  • Loading branch information
@Rob--W
Rob--W authored Sep 27, 2020
2 parents a0309e6 + b3a13b0 commit 3bab870
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 6 deletions.
2 changes: 1 addition & 1 deletion lib/cors-anywhere.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ function isValidHostName(hostname) {
function withCORS(headers, request) {
headers['access-control-allow-origin'] = '*';
var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge;
if (corsMaxAge) {
if (request.method === 'OPTIONS' && corsMaxAge) {
headers['access-control-max-age'] = corsMaxAge;
}
if (request.headers['access-control-request-method']) {
Expand Down
42 changes: 37 additions & 5 deletions test/test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ request.Test.prototype.expectJSON = function(json, done) {
request.Test.prototype.expectNoHeader = function(header, done) {
this.expect(function(res) {
if (header.toLowerCase() in res.headers) {
return 'Unexpected header in response: ' + header;
return new Error('Unexpected header in response: ' + header);
}
});
return done ? this.end(done) : this;
Expand Down Expand Up @@ -934,20 +934,36 @@ describe('Access-Control-Max-Age set', function() {
});
after(stopServer);

it('GET /', function(done) {
it('OPTIONS /', function(done) {
request(cors_anywhere)
.options('/')
.expect('Access-Control-Allow-Origin', '*')
.expect('Access-Control-Max-Age', '600')
.expect(200, '', done);
});

it('OPTIONS /example.com', function(done) {
request(cors_anywhere)
.options('/example.com')
.expect('Access-Control-Allow-Origin', '*')
.expect('Access-Control-Max-Age', '600')
.expect(200, '', done);
});

it('GET / no Access-Control-Max-Age on GET', function(done) {
request(cors_anywhere)
.get('/')
.type('text/plain')
.expect('Access-Control-Allow-Origin', '*')
.expect('Access-Control-Max-Age', '600')
.expectNoHeader('Access-Control-Max-Age')
.expect(200, helpText, done);
});

it('GET /example.com', function(done) {
it('GET /example.com no Access-Control-Max-Age on GET', function(done) {
request(cors_anywhere)
.get('/example.com')
.expect('Access-Control-Allow-Origin', '*')
.expect('Access-Control-Max-Age', '600')
.expectNoHeader('Access-Control-Max-Age')
.expect(200, 'Response from example.com', done);
});
});
Expand All @@ -959,6 +975,22 @@ describe('Access-Control-Max-Age not set', function() {
});
after(stopServer);

it('OPTIONS / corsMaxAge disabled', function(done) {
request(cors_anywhere)
.options('/')
.expect('Access-Control-Allow-Origin', '*')
.expectNoHeader('Access-Control-Max-Age')
.expect(200, '', done);
});

it('OPTIONS /example.com corsMaxAge disabled', function(done) {
request(cors_anywhere)
.options('/example.com')
.expect('Access-Control-Allow-Origin', '*')
.expectNoHeader('Access-Control-Max-Age')
.expect(200, '', done);
});

it('GET /', function(done) {
request(cors_anywhere)
.get('/')
Expand Down

0 comments on commit 3bab870

Please sign in to comment.