From fe093bae1adce99e01dfdd3ce7542957785098b5 Mon Sep 17 00:00:00 2001 From: Damien Arrachequesne Date: Wed, 21 Oct 2020 00:46:32 +0200 Subject: [PATCH] fix: do not overwrite CORS headers upon error The Access-Control-Allow-xxx headers added by the cors middleware were overwritten when sending an error response. Those lines should have been removed in [1]. [1]: https://github.com/socketio/engine.io/commit/61b949259ed966ef6fc8bfd61f14d1a2ef06d319 Related: https://github.com/socketio/engine.io/issues/605 --- lib/server.js | 6 ----- test/server.js | 62 +++++++++++++++++++------------------------------- 2 files changed, 24 insertions(+), 44 deletions(-) diff --git a/lib/server.js b/lib/server.js index 6b8c747f..6033b0b0 100644 --- a/lib/server.js +++ b/lib/server.js @@ -475,12 +475,6 @@ function sendErrorMessage(req, res, code) { ); return; } - if (req.headers.origin) { - headers["Access-Control-Allow-Credentials"] = "true"; - headers["Access-Control-Allow-Origin"] = req.headers.origin; - } else { - headers["Access-Control-Allow-Origin"] = "*"; - } if (res !== undefined) { res.writeHead(400, headers); res.end( diff --git a/test/server.js b/test/server.js index 9f734ace..aeef7887 100644 --- a/test/server.js +++ b/test/server.js @@ -33,7 +33,6 @@ describe("server", function() { expect(res.status).to.be(400); expect(res.body.code).to.be(0); expect(res.body.message).to.be("Transport unknown"); - expect(res.header["access-control-allow-origin"]).to.be("*"); done(); }); }); @@ -51,12 +50,6 @@ describe("server", function() { expect(res.status).to.be(400); expect(res.body.code).to.be(0); expect(res.body.message).to.be("Transport unknown"); - expect(res.header["access-control-allow-credentials"]).to.be( - "true" - ); - expect(res.header["access-control-allow-origin"]).to.be( - "http://engine.io" - ); done(); }); }); @@ -73,12 +66,6 @@ describe("server", function() { expect(res.status).to.be(400); expect(res.body.code).to.be(1); expect(res.body.message).to.be("Session ID unknown"); - expect(res.header["access-control-allow-credentials"]).to.be( - "true" - ); - expect(res.header["access-control-allow-origin"]).to.be( - "http://engine.io" - ); done(); }); }); @@ -101,12 +88,6 @@ describe("server", function() { expect(res.status).to.be(403); expect(res.body.code).to.be(4); expect(res.body.message).to.be("Thou shall not pass"); - expect(res.header["access-control-allow-credentials"]).to.be( - undefined - ); - expect(res.header["access-control-allow-origin"]).to.be( - undefined - ); done(); }); } @@ -488,25 +469,30 @@ describe("server", function() { }); it("should disallow bad requests", function(done) { - listen(function(port) { - request - .get("http://localhost:%d/engine.io/default/".s(port)) - .set("Origin", "http://engine.io") - .query({ transport: "websocket" }) - .end(function(err, res) { - expect(err).to.be.an(Error); - expect(res.status).to.be(400); - expect(res.body.code).to.be(3); - expect(res.body.message).to.be("Bad request"); - expect(res.header["access-control-allow-credentials"]).to.be( - "true" - ); - expect(res.header["access-control-allow-origin"]).to.be( - "http://engine.io" - ); - done(); - }); - }); + listen( + { + cors: { credentials: true, origin: "http://engine.io" } + }, + function(port) { + request + .get("http://localhost:%d/engine.io/default/".s(port)) + .set("Origin", "http://engine.io") + .query({ transport: "websocket" }) + .end(function(err, res) { + expect(err).to.be.an(Error); + expect(res.status).to.be(400); + expect(res.body.code).to.be(3); + expect(res.body.message).to.be("Bad request"); + expect(res.header["access-control-allow-credentials"]).to.be( + "true" + ); + expect(res.header["access-control-allow-origin"]).to.be( + "http://engine.io" + ); + done(); + }); + } + ); }); it("should send a packet along with the handshake", function(done) {