Open sysaxis opened 3 years ago
brycekahle
commented
3 years ago I don't follow your scenario. Can you describe it in more detail, perhaps a diagram?
The origin used in the line you linked is the Origin header sent by the browser when making the requests. It can be completely different from the backend server URL, and that is OK.
sysaxis
commented
3 years ago Server: http://localhost:8081 Frontend dev: http://localhost:8080
For some reason, the connection fails due to CORS: Access to XMLHttpRequest at 'http://localhost:8081/mypath/info?t=1636117522701' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The "disable_cors" parameter has not been set, thus CORS is enabled. It seems that the issue is in something else. The request doesn't even reach any of the checkpoints where sockjs sets the CORS headers (xhr and eventsource transport).
My current workaround was adding a proxy path (http://localhost:8081/ -> http://localhost:8080/) and the CORS issue got resolved when the application was opened at the proxy path.
I think it's important to mention that I am using expressjs along with sockjs. It may be the reason for such behaviour, because websocket connections also fail for unknown reason (which is why the application falls back to xhr polling). ` // example const app = express(); app.use(cors()) // app.use(...);
const server = app.listen(8081); const sock = sockjs.createServer(); // ...subscribe to events sock.installHandlers(server, { prefix: '/mypath.*' } `
brycekahle
commented
3 years ago Using express is fine, there is an example of how to use it even: https://github.com/sockjs/sockjs-node/blob/v0.3/examples/express/server.js
Imagine a situation, where you are running the service on one port and the frontend dev server on another. It's impossible to use sockjs connections, because it will end up with CORS error (origin differs from the backend server url).
How about enable configuring the default response header for Access-Control-Allow-Origin in middleware.js#L123? If you are worried about the potential of unintended security flaws then add an explicit check to not allow overriding it in production environment.