mirror of
https://github.com/Unleash/unleash.git
synced 2024-12-22 19:07:54 +01:00
fix: optimize cores headers (#5629)
This commit enhances two aspects of CORS: - Always support CORS preflight requests. - Do not add additional secuity headers for prefligh calls.
This commit is contained in:
parent
adb9ba5c09
commit
4618a52014
@ -102,10 +102,7 @@ export default async function getApp(
|
||||
// so this must be handled before the API token middleware.
|
||||
app.options(
|
||||
`${baseUriPath}/api/frontend*`,
|
||||
conditionalMiddleware(
|
||||
() => config.flagResolver.isEnabled('embedProxy'),
|
||||
corsOriginMiddleware(services, config),
|
||||
),
|
||||
corsOriginMiddleware(services, config),
|
||||
);
|
||||
|
||||
app.use(baseUriPath, patMiddleware(config, services));
|
||||
|
@ -7,7 +7,6 @@ export const conditionalMiddleware = (
|
||||
const router = Router();
|
||||
|
||||
router.use((req, res, next) => {
|
||||
res.setHeader('Vary', 'Origin');
|
||||
if (condition()) {
|
||||
middleware(req, res, next);
|
||||
} else {
|
||||
|
@ -19,7 +19,7 @@ export const corsOriginMiddleware = (
|
||||
{ proxyService }: Pick<IUnleashServices, 'proxyService'>,
|
||||
config: IUnleashConfig,
|
||||
): RequestHandler => {
|
||||
return cors(async (req, callback) => {
|
||||
const corsFunc = cors(async (req, callback) => {
|
||||
try {
|
||||
const { frontendApiOrigins = [] } =
|
||||
await proxyService.getFrontendSettings();
|
||||
@ -33,4 +33,8 @@ export const corsOriginMiddleware = (
|
||||
callback(error);
|
||||
}
|
||||
});
|
||||
return (req, res, next) => {
|
||||
res.setHeader('Vary', 'Origin');
|
||||
corsFunc(req, res, next);
|
||||
};
|
||||
};
|
||||
|
@ -116,11 +116,11 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
|
||||
});
|
||||
|
||||
return (req, res, next) => {
|
||||
const stripHeadersOnAPI =
|
||||
config.flagResolver.isEnabled('stripHeadersOnAPI');
|
||||
if (
|
||||
if (req.method === 'OPTIONS') {
|
||||
return next();
|
||||
} else if (
|
||||
req.path.startsWith(`${config.server.baseUriPath}/api/`) &&
|
||||
stripHeadersOnAPI
|
||||
config.flagResolver.isEnabled('stripHeadersOnAPI')
|
||||
) {
|
||||
apiHelmet(req, res, next);
|
||||
} else {
|
||||
|
Loading…
Reference in New Issue
Block a user