-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The corsHandler is not reflected. Defaults take preference. #505
Comments
Hi @myaaaapon You are right that we do not apply the same settings to HTML resources, JS/CSS files and backend routes. The logic is basically the following :
JS/CSS files (and all other static files) are delivered differently whether you are using SSR (delivered by the Nuxt server) or SSG (delivered by your CDN or your custom static server). If you have difficulty understanding the headers of your JS/CSS files, let me know your server setup so that I can further guide you. As far as the CORS handler is concerned, I’ll have a look at how we resolve the rules and let you know here |
Hey @myaaaapon any feedback from your side? Is there anything we could do to improve the documenation? :) |
Hi @vejja Thank you for your detailed answer 😊 I had missed your advanced settings... This gave me a good understanding of the difference between HTML and the headers of the rest of the file. If any policy on Hi @Baroshem additionI found an mistake in the documentation.
- type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'POST' | string;
# Perhaps the following is correct.
+ type HTTPMethod = 'GET' | 'POST' | 'DELETE' | 'PATCH' | 'PUT' | string; Alternatively, since the default value for
# I think this is also good.
+ type HTTPMethod = 'GET' | 'HEAD' | 'PUT' | 'PATCH' | 'POST' | 'DELETE' | string; @vejja @Baroshem |
@myaaaapon Thanks for the extensive research from your side! Would you be interested in contributing to the project with the bugfixes you mentioned? I will be more than happy to help you :) |
Hey @myaaaapon bumping the topic above :) |
This handy module has saved me a lot of time on my security !!
I always appreciate your developments 😊
I have three questions and suggestions.
1, Information on js/css default values in the documentation.
It seems that the header values are different for HTML and the rest of the files.
I have spent a lot of time mistaking this for a bug...😢
I think it would be more helpful to mention this in the documentation.
Defaults
・Mentioned below. #434
2, Header settings under the backend and js/css header settings in the frontend are the same
By default, the header settings are the same as the front-end js/css files, even though the files are under the back-end /server/api.
Sorry...I am not very familiar with this. but is this a security issue?
Mentioned below. #434
3, corsHandler settings are not applied. Is this a bug?
I want to set
Access-Control-Allow-Origin: http://localhost:3000
. Document CORS HandlerIf it is as follows, it is
not
applied.It will be applied if you do the following.
I would like default values for
methods
other thanorigin
,allowHeaders
and other items.In other words, how can I make only
origin
a unique setting?Or is this my mistake..?
The text was updated successfully, but these errors were encountered: