Open SkepticNerdGuy opened 2 years ago
This issue has been inactive for 180 days
There is https://github.com/http-party/http-server/issues/729 which should resolve this issue by allowing http-server to mirror the Origin instead of responding with *
. This should let you avoid hardcoding allowed origins.
Edit: whoops I forgot that you were already aware of https://github.com/http-party/http-server/issues/729. However this link is good to have here for posterity.
What's the problem this feature will solve?
Currently, with --cors enabled
access-control-allow-origin
hard coded to*
. If http-server is behind features that require authentication (client SSL certs in my case), the fetch spec requires browsers to validate that the requesting server be set as an allowed origin. So when server1 makes a request to server2 it fails because of the wildcard. This is the intended behavior as designed. Firefox currently (correctly) follows the fetch spec but, Chrome and Edge do not. At some point, chrome and edge 'should' eventually be fixed.Chrome and Edge still send certs unprompted when executing the fetch command, but when fetch is set to
{credentials:"include"}
in server1 requesting information from server2 you now get this error:Describe the solution you'd like
Requesting the ability to customize access-control-allow-origin headers in order to pass specific domains or set * manually.
This will allow http-server to be used correctly with authentication when a fetch is set to
{ credentials:"include" }
.Alternative Solutions
When requesting server does not have fetch is set to
{ credentials:"include" }
network.cors_preflight.allow_client_cert
to true. Otherwise browser fails preflight because certs are not passed.Omit TLS client certificates if credential mode disallows
to disabled. This is also the default behavior, chrome automatically sends credentials, this is against the spec.When fetch is set to
{ credentials:"include" }
on server1Fails on all browsers
Alternate hack
Modify http-server source locally to hard code for my specific use-case, replace
access-control-allow-origin = '*'
and hard code it toaccess-control-allow-origin = 'https://server1.tld
so it works for me. then enable --cors, start http-server.Additional context
I'm sure there are other use-cases for setting
access-control-allow-origin
to custom domains, but for the authentication issue with client SSL certs, it's a must have.I am aware that solution #760 to issue #729 can potentially fix my problem, but automatically mirroring the origin server will allow any origin to pass credentials, which is not very safe. This fix should only be used for testing and not production.