Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS support for multiple origins #483

Closed
scottcorgan opened this issue Feb 5, 2013 · 6 comments
Closed

CORS support for multiple origins #483

scottcorgan opened this issue Feb 5, 2013 · 6 comments
Assignees
@hueniverse
Labels
feature New functionality or improvement
Milestone
0.14.0

Comments

@scottcorgan
Copy link

Because we have no access to the request object when setting up cors in the server configuration, I am unable to define multiple authorized origins.

var serverConfig = {
    cors: {
        origin: ['http://localhost:3000', 'http://localhost:8000']
    }
};

var server = new Hapi.Server(port, serverConfig);

If there's another way, can you please provide an example? Thanks so much!
@scottcorgan
Copy link
Author

This is my proposed solution to accommodate this feature in Hapi:

// headers.js

exports.cors = function (response, request) {

    if (request.server.settings.cors) {

        // Set the origin
        // * it's a hack for multiple origins for Cors

        var origin = request.raw.req.headers.origin;
            authorizedOrigins = request.server.settings.cors._origin,
            requestOrigin = request.server.settings.cors._origin;

        // Validate the origin's authority

        if (authorizedOrigins.indexOf(origin) > -1) {
            requestOrigin = origin;
        }

        response.header('Access-Control-Allow-Origin', requestOrigin);
        response.header('Access-Control-Max-Age', request.server.settings.cors.maxAge);
        response.header('Access-Control-Allow-Methods', request.server.settings.cors._methods);
        response.header('Access-Control-Allow-Headers', request.server.settings.cors._headers);

        if (request.server.settings.cors.credentials) {
            response.header('Access-Control-Allow-Credentials', 'true');
        }
    }
};

@hueniverse
Copy link
Contributor

Trying to understand the use case. You can define multiple origin values as shows in your code above. Is this an issue with browsers not understanding that part of the spec? Is this about narrowing down the response to just one origin (as long as it is in the list)?

@ghost ghost assigned hueniverse Feb 5, 2013
@scottcorgan
Copy link
Author

@hueniverse, Thanks for the response. It seems to be about narrowing down the response to just one origin as long as it's in the list. I have several internal apps that will need to access our api. I'd prefer to just use XHR to handle information creation and updating.

Make sense?

@hueniverse
Copy link
Contributor

Sure. Thing. Will be included in the next release.

@scottcorgan
Copy link
Author

Awesome, thanks!

@hueniverse hueniverse mentioned this issue Feb 11, 2013
Merged
@Marsup Marsup added feature New functionality or improvement and removed request labels Sep 20, 2019
@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hueniverse hueniverse

Labels
feature New functionality or improvement
Projects
None yet
Milestone
0.14.0
Development

No branches or pull requests
3 participants
@hueniverse @Marsup @scottcorgan