Allow caching of CORS headers by setting Access-Control-Max-Age header #77
Conversation
…th this value (in seconds) will be added.
lib/cors-anywhere.js
Outdated
| @@ -50,8 +50,11 @@ function isValidHostName(hostname) { | |||
| * @param headers {object} Response headers | |||
| * @param request {ServerRequest} | |||
| */ | |||
| function withCORS(headers, request) { | |||
| function withCORS(headers, request, maxAge) { | |||
| headers['access-control-allow-origin'] = '*'; | |||
There was a problem hiding this comment.
Please use the following instead of passing an extra parameter to withCORS:
var maxAge = req.corsAnywhereRequestState.location;
There was a problem hiding this comment.
Sure. To do this, I had to move the definition of req.corsAnywhereRequestState to before the call to withCORS in the getHandler function.
lib/cors-anywhere.js
Outdated
| @@ -234,6 +237,7 @@ function getHandler(options, proxy) { | |||
| requireHeader: null, // Require a header to be set? | |||
| removeHeaders: [], // Strip these request headers. | |||
| setHeaders: {}, // Set these request headers. | |||
| maxAge: null, // If set, an Access-Control-Max-Age header with this value (in seconds) will be added. | |||
There was a problem hiding this comment.
Default to 0 please, based on the following substeps from https://fetch.spec.whatwg.org/#cors-preflight-fetch
- Let max-age be the result of extracting header list values given `
Access-Control-Max-Age` and response’s header list.- If max-age is failure or null, then set max-age to zero.
There was a problem hiding this comment.
Done. Also updated the tests and readme to note that the default behaviour is now an Access-Control-Max-Age header set to 0.
test/test.js
Outdated
| .get('/example.com') | ||
| .expect('Access-Control-Allow-Origin', '*') | ||
| .expect('Access-Control-Max-Age', '600') | ||
| .expect(200, 'Response from example.com', done);; |
README.md
Outdated
| @@ -107,6 +107,8 @@ proxy requests. The following options are supported: | |||
| Example: `["cookie"]` | |||
| * dictionary of lowercase strings `setHeaders` - Set headers for the request (overwrites existing ones). | |||
| Example: `{"x-powered-by": "CORS Anywhere"}` | |||
| * number `maxAge` - If set, an Access-Control-Max-Age header with this value (in seconds) will be added. | |||
There was a problem hiding this comment.
Add two spaces at the end, then markdown will show a forced line break.
And use "response header" instead of just "header".
Set corsAnywhereRequestState before calling withCORS and use the state instead of a parameter to get corsMaxAge.
|
Thanks @Rob--W - I have now implemented all of the above suggested changes. |
README.md
Outdated
| @@ -107,6 +107,9 @@ proxy requests. The following options are supported: | |||
| Example: `["cookie"]` | |||
| * dictionary of lowercase strings `setHeaders` - Set headers for the request (overwrites existing ones). | |||
| Example: `{"x-powered-by": "CORS Anywhere"}` | |||
| * number `corsMaxAge` - If set, an Access-Control-Max-Age request header with this value (in seconds) will be added. | |||
| Defaults to 0. | |||
There was a problem hiding this comment.
This line can be removed `"If set, ..." implies that the header is not set if not specified, which is already clear.
lib/cors-anywhere.js
Outdated
| @@ -52,6 +52,10 @@ function isValidHostName(hostname) { | |||
| */ | |||
| function withCORS(headers, request) { | |||
| headers['access-control-allow-origin'] = '*'; | |||
| var corsMaxAge = request.corsAnywhereRequestState.corsMaxAge; | |||
| if (corsMaxAge != null) { | |||
There was a problem hiding this comment.
Change this to if (corsMaxAge) {.
test/test.js
Outdated
| @@ -50,6 +50,7 @@ describe('Basic functionality', function() { | |||
| .get('/') | |||
| .type('text/plain') | |||
| .expect('Access-Control-Allow-Origin', '*') | |||
| .expect('Access-Control-Max-Age', '0') | |||
There was a problem hiding this comment.
The header should not be added by default. The user agent (browser) will assume 0 if not set.
There was a problem hiding this comment.
Ah, sorry. I just misinterpreted your suggestion to set the default corsMaxAge to 0 instead of null to mean we should send an Access-Control-Max-Age header with the value of 0 by default.
Actually, the default corsMaxAge should be 0 which will mean no header is sent, correct?
Add maxAge config option. If set, an Access-Control-Max-Age header with this value (in seconds) will be added. This will allow the results of a preflight request to be cached by the browser, avoiding a preflight request being made for every request.
Defaults to not set.
Example:
createServer({ maxAge: 600 })Allow CORS preflight requests to be cached by the browser for 10 minutes.