mscoutermarsh / cors-test Goto Github PK
View Code? Open in Web Editor NEWA tiny tool for checking if your CORS headers are setup correctly
Home Page: https://cors-test.codehappy.dev
License: MIT License
A tiny tool for checking if your CORS headers are setup correctly
Home Page: https://cors-test.codehappy.dev
License: MIT License
I believe there may be an issue with this tester as it's done on the server side and not browser side. One of our vendors has been using this tool to verify if we have CORS issues on our assets.
In order for a server to respond with the access-control-allow-origin
header it must be giving an origin
header in the request, otherwise the server doesn't know this is a cross origin request and will omit the access-control-allow-origin
from the response headers. Typically, this happens as a client side request, where the browser attaches the origin
header to the request by looking at the address bar [1]. Since this implementation is all done server side the origin
header is never added to the fetch request so the server will never add the access-control-allow-origin
header in the response. According to the spec, "in any access control request, the Origin header is always sent." [2]. From another standpoint, to enable credentials and not default to sending the wildcard e.g. access-control-allow-origin: *
back in the response, the server must read the origin
header to do so. [3]
In contrast you can see this browser based tester does this correctly by observing the network requests in the debugging tools.
As an example you can look at this asset: https://assets.asktia.com/fonts/basis-grotesque-regular.woff2
This will fail (omit the access-control-allow-origin header
) using this tool, but succeed (include the access-control-allow-origin
header) using this browser based tester or a curl request e.g. curl -H "Origin: http://example.com" --verbose https://assets.asktia.com/fonts/basis-grotesque-regular.woff2
[1] https://stackoverflow.com/questions/15988323/cors-and-origin-header#:~:text=Yes.,an%20extra%20header%20is%20sent.
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_request_headers
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.