OPTIONS support for XHR2 / CORS

2351 views
Skip to first unread message

AJ ONeal

unread,
Oct 29, 2010, 4:40:09 AM10/29/10
to expre...@googlegroups.com
curl -X OPTIONS localhost:3000/xhr2
Cannot OPTIONS /xhr2

How do I go about adding OPTIONS support?




In order for CORS support, 4 things need to happen for each resource:

1) The server should respond to a HEAD request for the resource with the CORS (Access-Control) headers
2) The server should respond to an OPTIONS request with the EXACT SAME headers
3) The server MUST respond to the GET/POST/PUT/DELETE with the EXACT SAME headers as it gets from OPTIONS and HEAD
4) The browser must recognize the headers.


curl -I localhost:3000/xhr2

HTTP/1.1 200 OK
Content-Type: text/plain
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: false
Access-Control-Max-Age: 86400
Access-Control-Allow-Headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
Date: Fri, 29 Oct 2010 08:27:14 GMT
X-Response-Time: 3ms
X-Powered-By: Connect 0.2.7
Server: Node v0.3.0-pre
Connection: keep-alive

Example Middleware: http://gist.github.com/653153

AJ ONeal

vision media [ Tj Holowaychuk ]

unread,
Oct 29, 2010, 10:55:43 AM10/29/10
to expre...@googlegroups.com
we need to add it to the router middleware in Connect

--
You received this message because you are subscribed to the Google Groups "Express" group.
To post to this group, send email to expre...@googlegroups.com.
To unsubscribe from this group, send email to express-js+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/express-js?hl=en.



--
Tj Holowaychuk
Vision Media
President & Creative Lead

AJ ONeal

unread,
Oct 29, 2010, 9:22:35 PM10/29/10
to expre...@googlegroups.com
After browsing around for a few minutes a realized that connect is quite simple.

I was thinking about how to go about adding it and I'm a little confused.

app.options('/resource', function (req, res) {
    res.writeHead(200, headers);
});

Essentially, whatever headers are added by app.options should also be added to all other requests at that resource.

So should the middleware fake a false request to app.options to see what the user wants the values to be and then use that for any request that matches that resource?

Or should the middleware accept the header options as arguments - like logger - and hijack the res.writeHead method?

I suppose you could pass in something like

{
    "/resource": {
        "options" : defaultHeaders,
        "get" : defaultHeaders,
        "post" : defaultHeaders,
        "put" : slightlyDifferentHeaders,
        "delete" : defaultHeaders
    }
}

or perhaps just an array of the methods it applies to.

I think that the headers for any given resource by OPTIONS should be the same across all methods. Is that correct?

AJ ONeal

AJ ONeal

unread,
Nov 6, 2010, 3:02:27 PM11/6/10
to expre...@googlegroups.com
Bump.

Thoughts? Feedback?

AJ ONeal

Franti?ek H?ba

unread,
Dec 24, 2010, 9:17:20 PM12/24/10
to expre...@googlegroups.com
Any news?

Subbu Allamaraju

unread,
Dec 28, 2010, 12:01:33 AM12/28/10
to expre...@googlegroups.com
https://github.com/s3u/resource-router may work for you as it automatically adds support for OPTIONS based on the methods implemented for any given URI.

Masahiro Hayashi

unread,
Dec 28, 2010, 2:01:37 AM12/28/10
to expre...@googlegroups.com
How about this?

https://github.com/antono/connect-cors


--
@masahiroh

On Tue, Dec 28, 2010 at 14:01, Subbu Allamaraju <su...@subbu.org> wrote:
> https://github.com/s3u/resource-router may work for you as it automatically
> adds support for OPTIONS based on the methods implemented for any given URI.
>

vision media [ Tj Holowaychuk ]

unread,
Dec 28, 2010, 7:07:02 AM12/28/10
to expre...@googlegroups.com
I added OPTIONS to the connect router, you can override it and do whatever you like via app.options() now (in master) although it has the default behavior in place
Message has been deleted

Franti?ek H?ba

unread,
Dec 28, 2010, 7:07:08 PM12/28/10
to expre...@googlegroups.com
Works great! Thanks for quick fix.

app.options('*', function(req, res) {

// ...
 
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Credentials', true); 
res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELTE, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type'); 

// ...
 
});

Christopher Joel

unread,
Dec 28, 2010, 8:23:43 PM12/28/10
to expre...@googlegroups.com
This is awesome! I've been trying to work around this feature not existing for a couple of days now. Thanks TJ!

Chris

--

vision media [ Tj Holowaychuk ]

unread,
Dec 28, 2010, 8:42:41 PM12/28/10
to expre...@googlegroups.com
:) no problem. you can still override .options() like he did there, or you can leave the default OPTIONS support

AJ ONeal

unread,
Jan 5, 2011, 11:47:16 AM1/5/11
to expre...@googlegroups.com
I also want to say thank you!

AJ ONeal

Curtis j Schofield

unread,
Jan 5, 2011, 12:07:08 PM1/5/11
to expre...@googlegroups.com
On Tue, Dec 28, 2010 at 4:06 PM, Franti?ek H?ba <franti...@gmail.com> wrote:
> Works great! Thanks for quick fix.
>
>
> res.header('Access-Control-Allow-Methods', 'POST, GET, PUT, DELTE,

DELETE


--
make haste slowly \
festina lente  \
-
mobile  +1_415_632_6001
cur...@robotarmyma.de
http://robotarmyma.de

Reply all
Reply to author
Forward
0 new messages