socket.io
socket.io copied to clipboard
socketio
No CORS headers are set on the client javascript file
You want to:
- [x] report a bug
- [ ] request a feature
Current behaviour
When serving the client via settings the serveClient option, the client is not served with the same CORS headers as the actual socket.io server.
Steps to reproduce (if the current behaviour is a bug)
Start a server with serveClient: true and request /socket.io/socket.io.js with an Origin header set.
Observe that the response does not have any Access-Control-Allow-Origin header set.
Expected behaviour
That the response has the same CORS headers as the normal operation.
Other information (e.g. stacktraces, related issues, suggestions how to fix)
This function (and the corresponding serveMap) should do the same origin checking as this code.
Is it me or CORS don't have to be "set" on client side... you have to tell the server which cors will be accepted.
Here's my implementation to allow all in typescript
this.app.use(cors({
origin: '*',
optionsSuccessStatus: 200,
}))
the browser is responsible for indicating the origin domain and you have no control over that for security reasons...
I might be mistaken..
Also, even if, this should probably go on the socket.io-client github :)
The Access-Control-Allow-Origin header is a response header from the server, indicating which origins are allowed to use the resource. Browsers respect this header.
If you set the serveClient option in socket.io, it serves the javascript of the client from the socket.io server. However, the function(s) responsible for doing this, does not set the Access-Control-Allow-Origin header, which means that if you try to request the client javascript in a cross-origin environment, the request fails.
The correct headers are applied to the actual socket.io websocket connection, so I'm suggesting that the same logic is applied to the served client sources.
I also stumble over the same issue and yes CORS needs to be set by the server also from my knowledge ;-) Can you do a PR? ;-)
I was able to fix my CORS issues using the handlePreflightRequest referenced in https://github.com/socketio/engine.io/issues/279#issuecomment-585578251 but I couldn't use the latest changes implemented for engine.io v4 in socket.io (2.3.0).
@Keepcase sorry but I do not understand it ... were yiu able to fix it or not? ;-) Or do you mean that you know how/where to fix but in engine.io and noch in socket.io?! Or what? What would be needed to be patched?
My apologies @Apollon77, let me clarify. Perhaps I'm misunderstanding the issue but I was suggesting to try the change that I referenced on the socket.io server to see if that fixed the issue @aeons was running into.
I recently ran into issues with CORS and the referenced comment fixed it for my use case. I was getting errors on the browser similar to https://github.com/socketio/engine.io/issues/574 but I fixed it with the code referenced in https://github.com/socketio/engine.io/issues/574#issuecomment-476500527 which I implemented on the socket.io server.
I was just mentioning that the latest changes made in https://github.com/socketio/engine.io/issues/279#issuecomment-585578251 referencing cors was not working for socket.io (2.3.0).
This should be fixed by https://github.com/socketio/socket.io/commit/63f181cc12cbbbf94ed40eef52d60f36a1214fbe, included in version 4.7.0.
Please reopen if needed.