1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00

fix: optimize cores headers (#5629)

This commit enhances two aspects of CORS:

- Always support CORS preflight requests.
- Do not add additional secuity headers for prefligh calls.
This commit is contained in:
Ivar Conradi Østhus 2023-12-13 16:12:17 +01:00 committed by GitHub
parent adb9ba5c09
commit 4618a52014
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 10 additions and 10 deletions

View File

@ -102,10 +102,7 @@ export default async function getApp(
// so this must be handled before the API token middleware.
app.options(
`${baseUriPath}/api/frontend*`,
conditionalMiddleware(
() => config.flagResolver.isEnabled('embedProxy'),
corsOriginMiddleware(services, config),
),
corsOriginMiddleware(services, config),
);
app.use(baseUriPath, patMiddleware(config, services));

View File

@ -7,7 +7,6 @@ export const conditionalMiddleware = (
const router = Router();
router.use((req, res, next) => {
res.setHeader('Vary', 'Origin');
if (condition()) {
middleware(req, res, next);
} else {

View File

@ -19,7 +19,7 @@ export const corsOriginMiddleware = (
{ proxyService }: Pick<IUnleashServices, 'proxyService'>,
config: IUnleashConfig,
): RequestHandler => {
return cors(async (req, callback) => {
const corsFunc = cors(async (req, callback) => {
try {
const { frontendApiOrigins = [] } =
await proxyService.getFrontendSettings();
@ -33,4 +33,8 @@ export const corsOriginMiddleware = (
callback(error);
}
});
return (req, res, next) => {
res.setHeader('Vary', 'Origin');
corsFunc(req, res, next);
};
};

View File

@ -116,11 +116,11 @@ const secureHeaders: (config: IUnleashConfig) => RequestHandler = (config) => {
});
return (req, res, next) => {
const stripHeadersOnAPI =
config.flagResolver.isEnabled('stripHeadersOnAPI');
if (
if (req.method === 'OPTIONS') {
return next();
} else if (
req.path.startsWith(`${config.server.baseUriPath}/api/`) &&
stripHeadersOnAPI
config.flagResolver.isEnabled('stripHeadersOnAPI')
) {
apiHelmet(req, res, next);
} else {