1. 技术文章
  2. Allow multiple CORS domain in express js

Allow multiple CORS domain in express js

大兔子大兔子 提交于 2020-01-22 14:10:12

问题


How do I allow multiple domains for CORS in express in a simplified way.

I have

 cors: {
        origin: "www.one.com";
    }

    app.all('*', function(req, res, next) {
            res.header("Access-Control-Allow-Origin", cors.origin);
            res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
            next();
        });

This works when there is only one domain mentioned in origin

But if I want to have origin as an array of domains and I want to allow CORS for all the domains in the origin array, I would have something like this - 

cors: {
            origin: ["www.one.com","www.two.com","www.three.com"];
        }

But then the problem is this below code would not work - 

app.all('*', function(req, res, next) {
                res.header("Access-Control-Allow-Origin", cors.origin);
                res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
                next();
            });

How do I make res.header take an array of domains via cors.origin ?


回答1:


I would recommend the cors-module: https://www.npmjs.org/package/cors It does this kind of stuff for you - check the "Configuring CORS w/ Dynamic Origin"-Section




回答2:


Lets understand how this header works. "Access-Control-Allow-Origin" accepts only a string. So to make it dynamic you need to get the requesting host from the http header. Check it against your array of authorised domains. If it's present then add that as a value to the header, else adding a default value will prohibit unauthorised domains from accessing the API.

There is no native implementation for this. You can do it yourself using the code below. 

cors: {
            origin: ["www.one.com","www.two.com","www.three.com"],
            default: "www.one.com"
        }

app.all('*', function(req, res, next) {
                var origin = cors.origin.indexOf(req.header('host').toLowerCase()) > -1 ? req.headers.origin : cors.default;
                res.header("Access-Control-Allow-Origin", origin);
                res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
                next();
            });



回答3:


In fact, Access-Control-Allow-Origin header should be the same value as the Origin header as long as you want to allow it.

So base on your code just

cors: {
    origin: ["www.one.com","www.two.com","www.three.com"]
}



app.all('*', function(req, res, next) {
            let origin = req.headers.origin;
            if(cors.origin.indexOf(origin) >= 0){
                res.header("Access-Control-Allow-Origin", origin);
            }         
            res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
            next();
        });


来源:https://stackoverflow.com/questions/26988071/allow-multiple-cors-domain-in-express-js

标签
javascript
node.js
express
cors
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!