graphql-mesh icon indicating copy to clipboard operation
graphql-mesh copied to clipboard

Published 20 hours ago verified publisher icon ardatan

CORS regex origins work in Firefox but not Chromium-based browsers

Open coopbri opened this issue 5 months ago • 0 comments

Issue workflow progress

Progress of the issue based on the Contributor Workflow

Make sure to fork this template and run yarn generate in the terminal.

Please make sure Mesh package versions under package.json matches yours.

  • [ ] 2. A failing test has been provided
  • [ ] 3. A local solution has been provided
  • [ ] 4. A pull request is pending review

Describe the bug

In Chromium-based browsers (tested Brave and Chrome), regex patterns for allowed origins fail validation with the following in the browser console:

Access to XMLHttpRequest at 'http://localhost:5000/graphql' from origin 'http://localhost:3000'
has been blocked by CORS policy: Response to preflight request doesn't pass access control check:
The 'Access-Control-Allow-Origin' header contains the invalid value '/https?:\/\/localhost:\d{4}/'.

In Firefox, the requests succeed successfully (HTTP 200).

To Reproduce

Steps to reproduce the behavior:

In a Mesh config file (e.g. .meshrc.ts), add the following config:

const meshConfig = {
  serve: {
    cors: { 
      credentials: true, 
      allowedHeaders: ["Content-Type", "Authorization"],
      exposedHeaders: ["Access-Control-Allow-Origin"], // for debugging
      origin: [/https?:\/\/localhost:\d{4}/]
    }
  }
}

Run the Mesh server (mesh dev). From an app running in the browser on any localhost port, make a request to the Mesh server in a Chromium-based browser and check the console for CORS origin errors.

Expected behavior

Expected CORS validation to pass in Chromium-based browsers.

Environment:

  • OS: Arch Linux kernel 6.7.0-arch3-1
  • @graphql-mesh/cli: ^0.88.5
  • NodeJS: v20.8.1

Additional context

CORS Access-Control-Allow-Origin can only be a wildcard or an exact URL (see https://stackoverflow.com/a/44071913). To work around this, some projects that abstract the server (much like Mesh does), such as micronaut, allow regexes to be used for CORS via special config (see here).

coopbri avatar Jan 24 '24 20:01 coopbri