HttpNodeCors options are not applied to HttpStatic routes

[shrickus]

Current Behavior

I have enabled the httpNodeCors option example in the settings.js file, in hopes that I could disable the CORS errors that occur when tryinbg to pull a static file from Node-RED through a 3rd-party website (e.g. observablehq.com).

Forum discussion can be found here

Expected Behavior

There should be a way to disable CORS on the httpStatic routes -- either by applying the httpNodeCors option, or else by supporting a new httpStaticCors options setting (if different control is needed for static files).

Steps To Reproduce

I am using these settings:

httpAdminRoot: "/admin",
httpNodeRoot: "/red",
httpStatic: "/opt/nodered/static",
httpNodeCors: {
    origin: "*",
    methods: "GET"
}

I am using my local browser to show the static file at url https://my.site/public/data.json -- WORKS.

When I access a website that is configured to fetch the same static file url, I get this error:

Access to fetch at 'https://my.site/public/data.json' from origin 'https://shrickus.static.observableusercontent.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Example flow

N/A

Environment

• Node-RED version: 3.0.2
• Node.js version: 16.19.0
• npm version: 8.19.3
• Platform/OS: EC2 Linux / Amzn2.x86_64
• Browser: Chrome v124.0.6367.208 (64-bit)

[hardillb]

Check 3.1.x and the 4.0.0 beta as I'm 85% sure this got fixed recently

[knolleary]

The httpNodeCors setting is only applied to the HTTP node routes.

In 3.1, we did add some more flexibility to the httpStatic configuration, but it didn't include cors.

I don't think it would be right to blindly apply httpNodeCors to httpStatic, but we can add a separate setting for it.

• httpStaticCors will get applied to any/all httpStatic configurations.
• if httpStatic is an object, it can have a cors property to apply

[knolleary]

@shrickus added to Node-RED 4 - https://github.com/node-red/node-red/pull/4761