cors
CORS is a node.js package for providing a Connect/Express middleware that can be used to enable CORS with various options.
Follow me (@troygoode) on Twitter!
Installation (via npm)
$ npm install corsUsage
Simple Usage (Enable All CORS Requests)
var express = cors = app = ; app; app; app;Enable CORS for a Single Route
var express = cors = app = ; app; app;Configuring CORS
var express = cors = app = ; var corsOptions = origin: 'http://example.com'; app; app;Configuring CORS w/ Dynamic Origin
var express = cors = app = ; var whitelist = 'http://example1.com' 'http://example2.com';var corsOptions = { var originIsWhitelisted = whitelist !== -1; ; }; app; app;Enabling CORS Pre-Flight
Certain CORS requests are considered 'complex' and require an initial
OPTIONS request (called the "pre-flight request"). An example of a
'complex' CORS request is one that uses an HTTP verb other than
GET/HEAD/POST (such as DELETE) or that uses custom headers. To enable
pre-flighting, you must add a new OPTIONS handler for the route you want
to support:
var express = cors = app = ; appoptions'/products/:id' ; // enable pre-flight request for DELETE requestapp; app;You can also enable pre-flight across-the-board like so:
app.options('*', cors()); // include before other routes
Configuring CORS Asynchronously
var express = cors = app = ; var whitelist = 'http://example1.com' 'http://example2.com';var { var corsOptions; ifwhitelist !== -1 corsOptions = origin: true ; // reflect (enable) the requested origin in the CORS response else corsOptions = origin: false ; // disable CORS for this request ; // callback expects two parameters: error and options}; app; app;Configuration Options
origin: Configures the Access-Control-Allow-Origin CORS header. Expects a string (ex: "http://example.com"). Set totrueto reflect the request origin, as defined byreq.header('Origin'). Set tofalseto disable CORS. Can also be set to a function, which takes the request origin as the first parameter and a callback (which expects the signatureerr [object], allow [bool]) as the second. Finally, it can also be a regular expression (/example\.com$/) or an array of regular expressions and/or strings to match against.methods: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex:['GET', 'PUT', 'POST']).allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex:['Content-Type', 'Authorization']). If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.exposedHeaders: Configures the Access-Control-Expose-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex:['Content-Range', 'X-Content-Range']). If not specified, no custom headers are exposed.credentials: Configures the Access-Control-Allow-Credentials CORS header. Set totrueto pass the header, otherwise it is omitted.maxAge: Configures the Access-Control-Allow-Max-Age CORS header. Set to an integer to pass the header, otherwise it is omitted.preflightContinue: Pass the CORS preflight response to the next handler.
For details on the effect of each CORS header, read this article on HTML5 Rocks.
Demo
A demo that illustrates CORS working (and not working) using jQuery is available here: http://node-cors-client.herokuapp.com/
Code for that demo can be found here:
- Client: https://github.com/TroyGoode/node-cors-client
- Server: https://github.com/TroyGoode/node-cors-server