From b3a13b026c521e45650328d92243d76043be682b Mon Sep 17 00:00:00 2001 From: bulk88 Date: Sun, 27 Sep 2020 15:19:26 -0400 Subject: [PATCH] only send Access-Control-Max-Age if preflight request, not POST/GET -Access-Control-Max-Age header only has meaning for preflights, not POST or GET, saves wire bytes by excluding it from POST/GET/etc, and future problems if ACMA on a content HTTP method is given meaning by W3C or a browser vendor -fix expectNoHeader() test helper func ,this was a no-op before by accident and would NEVER fail, supertest/test.js:Test.prototype._assertFunction requires an retval of class type Error if test fail, not a string or a number or Object --- lib/cors-anywhere.js | 2 +- test/test.js | 42 +++++++++++++++++++++++++++++++++++++----- 2 files changed, 38 insertions(+), 6 deletions(-) diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js index c9d8936..9002644 100644 --- a/lib/cors-anywhere.js +++ b/lib/cors-anywhere.js @@ -53,7 +53,7 @@ function isValidHostName(hostname) { function withCORS(headers, request) { headers['access-control-allow-origin'] = '*'; var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge; - if (corsMaxAge) { + if (request.method === 'OPTIONS' && corsMaxAge) { headers['access-control-max-age'] = corsMaxAge; } if (request.headers['access-control-request-method']) { diff --git a/test/test.js b/test/test.js index 95f2fb6..3795a50 100644 --- a/test/test.js +++ b/test/test.js @@ -23,7 +23,7 @@ request.Test.prototype.expectJSON = function(json, done) { request.Test.prototype.expectNoHeader = function(header, done) { this.expect(function(res) { if (header.toLowerCase() in res.headers) { - return 'Unexpected header in response: ' + header; + return new Error('Unexpected header in response: ' + header); } }); return done ? this.end(done) : this; @@ -934,20 +934,36 @@ describe('Access-Control-Max-Age set', function() { }); after(stopServer); - it('GET /', function(done) { + it('OPTIONS /', function(done) { + request(cors_anywhere) + .options('/') + .expect('Access-Control-Allow-Origin', '*') + .expect('Access-Control-Max-Age', '600') + .expect(200, '', done); + }); + + it('OPTIONS /example.com', function(done) { + request(cors_anywhere) + .options('/example.com') + .expect('Access-Control-Allow-Origin', '*') + .expect('Access-Control-Max-Age', '600') + .expect(200, '', done); + }); + + it('GET / no Access-Control-Max-Age on GET', function(done) { request(cors_anywhere) .get('/') .type('text/plain') .expect('Access-Control-Allow-Origin', '*') - .expect('Access-Control-Max-Age', '600') + .expectNoHeader('Access-Control-Max-Age') .expect(200, helpText, done); }); - it('GET /example.com', function(done) { + it('GET /example.com no Access-Control-Max-Age on GET', function(done) { request(cors_anywhere) .get('/example.com') .expect('Access-Control-Allow-Origin', '*') - .expect('Access-Control-Max-Age', '600') + .expectNoHeader('Access-Control-Max-Age') .expect(200, 'Response from example.com', done); }); }); @@ -959,6 +975,22 @@ describe('Access-Control-Max-Age not set', function() { }); after(stopServer); + it('OPTIONS / corsMaxAge disabled', function(done) { + request(cors_anywhere) + .options('/') + .expect('Access-Control-Allow-Origin', '*') + .expectNoHeader('Access-Control-Max-Age') + .expect(200, '', done); + }); + + it('OPTIONS /example.com corsMaxAge disabled', function(done) { + request(cors_anywhere) + .options('/example.com') + .expect('Access-Control-Allow-Origin', '*') + .expectNoHeader('Access-Control-Max-Age') + .expect(200, '', done); + }); + it('GET /', function(done) { request(cors_anywhere) .get('/')