OPTIONS support for XHR2 / CORS
2,563 views
Skip to first unread message
AJ ONeal
Oct 29, 2010, 4:40:09 AM10/29/10
to expre...@googlegroups.com
curl -X OPTIONS localhost:3000/xhr2
Cannot OPTIONS /xhr2
How do I go about adding OPTIONS support?
In order for CORS support, 4 things need to happen for each resource:
1) The server should respond to a HEAD request for the resource with the CORS (Access-Control) headers
2) The server should respond to an OPTIONS request with the EXACT SAME headers
3) The server MUST respond to the GET/POST/PUT/DELETE with the EXACT SAME headers as it gets from OPTIONS and HEAD
4) The browser must recognize the headers.
curl -I localhost:3000/xhr2
HTTP/1.1 200 OK
Content-Type: text/plain
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: false
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Date: Fri, 29 Oct 2010 08:27:14 GMT
X-Response-Time: 3ms
X-Powered-By: Connect 0.2.7
Server: Node v0.3.0-pre
Connection: keep-alive
Example Middleware: http://gist.github.com/653153
AJ ONeal
Cannot OPTIONS /xhr2
How do I go about adding OPTIONS support?
In order for CORS support, 4 things need to happen for each resource:
1) The server should respond to a HEAD request for the resource with the CORS (Access-Control) headers
2) The server should respond to an OPTIONS request with the EXACT SAME headers
3) The server MUST respond to the GET/POST/PUT/DELETE with the EXACT SAME headers as it gets from OPTIONS and HEAD
4) The browser must recognize the headers.
curl -I localhost:3000/xhr2
HTTP/1.1 200 OK
Content-Type: text/plain
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: false
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Date: Fri, 29 Oct 2010 08:27:14 GMT
X-Response-Time: 3ms
X-Powered-By: Connect 0.2.7
Server: Node v0.3.0-pre
Connection: keep-alive
Example Middleware: http://gist.github.com/653153
AJ ONeal
![vision media [ Tj Holowaychuk ]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVywkZHkgADVZ5C62gBJ9Nus0vIhKIcJZRFwTi6ZhSufWL7fw=s40-c)
vision media [ Tj Holowaychuk ]
Oct 29, 2010, 10:55:43 AM10/29/10
to expre...@googlegroups.com
we need to add it to the router middleware in Connect
--
Tj Holowaychuk
Vision Media
President & Creative Lead
--
You received this message because you are subscribed to the Google Groups "Express" group.
To post to this group, send email to expre...@googlegroups.com.
To unsubscribe from this group, send email to express-js+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/express-js?hl=en.
--
Tj Holowaychuk
Vision Media
President & Creative Lead
AJ ONeal
Oct 29, 2010, 9:22:35 PM10/29/10
to expre...@googlegroups.com
After browsing around for a few minutes a realized that connect is quite simple.
I was thinking about how to go about adding it and I'm a little confused.
app.options('/resource', function (req, res) {
res.writeHead(200, headers);
});
Essentially, whatever headers are added by app.options should also be added to all other requests at that resource.
So should the middleware fake a false request to app.options to see what the user wants the values to be and then use that for any request that matches that resource?
Or should the middleware accept the header options as arguments - like logger - and hijack the res.writeHead method?
I suppose you could pass in something like
{
"/resource": {
"options" : defaultHeaders,
"get" : defaultHeaders,
"post" : defaultHeaders,
"put" : slightlyDifferentHeaders,
"delete" : defaultHeaders
}
}
or perhaps just an array of the methods it applies to.
I think that the headers for any given resource by OPTIONS should be the same across all methods. Is that correct?
AJ ONeal
I was thinking about how to go about adding it and I'm a little confused.
app.options('/resource', function (req, res) {
res.writeHead(200, headers);
});
Essentially, whatever headers are added by app.options should also be added to all other requests at that resource.
So should the middleware fake a false request to app.options to see what the user wants the values to be and then use that for any request that matches that resource?
Or should the middleware accept the header options as arguments - like logger - and hijack the res.writeHead method?
I suppose you could pass in something like
{
"/resource": {
"options" : defaultHeaders,
"get" : defaultHeaders,
"post" : defaultHeaders,
"put" : slightlyDifferentHeaders,
"delete" : defaultHeaders
}
}
or perhaps just an array of the methods it applies to.
I think that the headers for any given resource by OPTIONS should be the same across all methods. Is that correct?
AJ ONeal
AJ ONeal
Nov 6, 2010, 3:02:27 PM11/6/10
to expre...@googlegroups.com
Bump.
Thoughts? Feedback?
AJ ONeal
Thoughts? Feedback?
AJ ONeal
Franti?ek H?ba
Dec 24, 2010, 9:17:20 PM12/24/10
to expre...@googlegroups.com
Any news?
Subbu Allamaraju
Dec 28, 2010, 12:01:33 AM12/28/10
to expre...@googlegroups.com
https://github.com/s3u/resource-router may work for you as it automatically adds support for OPTIONS based on the methods implemented for any given URI.
Masahiro Hayashi
Dec 28, 2010, 2:01:37 AM12/28/10
to expre...@googlegroups.com
How about this?
https://github.com/antono/connect-cors
--
@masahiroh
On Tue, Dec 28, 2010 at 14:01, Subbu Allamaraju <su...@subbu.org> wrote:
> https://github.com/s3u/resource-router may work for you as it automatically
> adds support for OPTIONS based on the methods implemented for any given URI.
>
vision media [ Tj Holowaychuk ]
Dec 28, 2010, 7:07:02 AM12/28/10
to expre...@googlegroups.com
I added OPTIONS to the connect router, you can override it and do whatever you like via app.options() now (in master) although it has the default behavior in place
Message has been deleted
Franti?ek H?ba
Dec 28, 2010, 7:07:08 PM12/28/10
to expre...@googlegroups.com
Works great! Thanks for quick fix.
app.options('*', function(req, res) {
// ...
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELTE, OPTIONS');res.header('Access-Control-Allow-Headers', 'Content-Type');
// ...
});
Christopher Joel
Dec 28, 2010, 8:23:43 PM12/28/10
to expre...@googlegroups.com
This is awesome! I've been trying to work around this feature not existing for a couple of days now. Thanks TJ!
Chris
--
vision media [ Tj Holowaychuk ]
Dec 28, 2010, 8:42:41 PM12/28/10
to expre...@googlegroups.com
:) no problem. you can still override .options() like he did there, or you can leave the default OPTIONS support
AJ ONeal
Jan 5, 2011, 11:47:16 AM1/5/11
to expre...@googlegroups.com
I also want to say thank you!
AJ ONeal
AJ ONeal
Curtis j Schofield
Jan 5, 2011, 12:07:08 PM1/5/11
to expre...@googlegroups.com
On Tue, Dec 28, 2010 at 4:06 PM, Franti?ek H?ba <franti...@gmail.com> wrote:
> Works great! Thanks for quick fix.
>
>
> Works great! Thanks for quick fix.
>
>
> res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELTE,
DELETE
--
make haste slowly \
festina lente \
-
mobile +1_415_632_6001
cur...@robotarmyma.de
http://robotarmyma.de
Reply all
Reply to author
Forward
0 new messages