Skip to content

Route level CORS config overrides connection level defaults #2980

Closed
Closed
Route level CORS config overrides connection level defaults#2980
Assignees
hueniverse
Labels
bugBug or defectsecurityIssue with security impact
Milestone
11.1.4
@csrl

Description

@csrl
csrl
opened on Dec 17, 2015

It seems that the server option's route defaults are no longer used when route specific config options are present. v10.5.0 worked as expected, and v11.0.0+ does not.

var Hapi = require('hapi');
var server = new Hapi.Server({
  connections:{routes:{cors:{credentials:true}}}
});
server.connection({host:'localhost', port:8080});
server.route({
  method:'GET',
  path:'/session',
  config:{
    handler: function (request, reply) { reply(); }
  },
});
server.start(function () {});
$ curl -X GET http://localhost:8080/session -H 'Origin: mydomain.com' -H 'Access-Control-Request-Method: "GET"' -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying ::1...
* connect to ::1 port 8080 failed: Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /session HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.45.0
> Accept: */*
> Origin: mydomain.com
> Access-Control-Request-Method: "GET"
> 
< HTTP/1.1 200 OK
< vary: origin
< access-control-allow-origin: mydomain.com
< access-control-allow-credentials: true
< access-control-expose-headers: WWW-Authenticate,Server-Authorization
< cache-control: no-cache
< content-length: 0
< Date: Thu, 17 Dec 2015 06:01:52 GMT
< Connection: keep-alive
< 
* Connection #0 to host localhost left intact

But adding a 'cors' configuration object to the route, causes the 'access-control-allow-credentials' header to be dropped

var Hapi = require('hapi');
var server = new Hapi.Server({
  connections:{routes:{cors:{credentials:true}}}
});
server.connection({host:'localhost', port:8080});
server.route({
  method:'GET',
  path:'/session',
  config:{
    cors:{origin:['mydomain.com']},
    handler: function (request, reply) { reply(); }
  },
});
server.start(function () {});
$ curl -X GET http://localhost:8080/session -H 'Origin: mydomain.com' -H 'Access-Control-Request-Method: "GET"' -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying ::1...
* connect to ::1 port 8080 failed: Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /session HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.45.0
> Accept: */*
> Origin: mydomain.com
> Access-Control-Request-Method: "GET"
> 
< HTTP/1.1 200 OK
< vary: origin
< access-control-allow-origin: mydomain.com
< access-control-expose-headers: WWW-Authenticate,Server-Authorization
< cache-control: no-cache
< content-length: 0
< Date: Thu, 17 Dec 2015 06:02:48 GMT
< Connection: keep-alive
< 
* Connection #0 to host localhost left intact

Is this intentional? I much prefer being able to have default values in place and explicitly override specific keys, rather than have to respecify all values for a route where only one of them needs customized.

Metadata

Metadata

Assignees

Labels

bugBug or defectsecurityIssue with security impact

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions