How to whitelist same-origin requests?

[sippeangelo]

Since same-origin requests don't send the Origin header you have to rely on the X-Requested-With header, but this is not enough when using the originWhitelist option. I was hoping to be able to use originWhitelist to allow all same-origin requests, but also whitelist a set of extra external origins, but setting this options completely blocks same-origin requests.

I'm able to do this by setting originWhitelist: ",http://localhost", for example. But this feels like a hack since the first "empty" value in that list just happens to cause equality when the Origin header is missing due to https://github.com/Rob--W/cors-anywhere/blob/02f0cbd9291eca55953406acc7f7f08c64d13454/lib/cors-anywhere.js#L361. Is there a reason that same-origin requests are denied when originWhitelist is set?

To only allow same-origin requests I'd likewise have to set originWhitelist: ",", which seems even weirder. Am I missing something? How would I lock it down to only same-origin requests?

[Rob--W]

Side note, originWhitelist should be an array of origins, not a string.

To lock it down to same-origin requests, you'd have to only allow the empty origin (e.g. [""]). To make sure that the request is really same-origin (and not a non-cors cross-origin request), you'd have to require a dummy header that can only exist if approved via preflight reuest (e.g. the X-Requested-With header).

[sippeangelo]

I neglected to mention that I was actually using the environment variables, so I can't set it to empty because that counts as the variable being unset, but I guess a single comma is okay in that case anyways!