Skip to content

Commit 0d7b9fa

Browse files
FdawgsFdawgs
authored
refactor: change default methods to cors-safelisted methods (#359)
* refactor(index): change default `methods` to cors-safelisted methods * fix: correct allowed methods * Update README.md Signed-off-by: Frazer Smith <frazer.dev@icloud.com> --------- Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
1 parent 8853b06 commit 0d7b9fa

File tree

3 files changed

+13
-13
lines changed

3 files changed

+13
-13
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ You can use it as is without passing any option or you can configure it as expla
6363
cb(new Error("Not allowed"), false)
6464
}
6565
```
66-
* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: `GET,HEAD,PUT,PATCH,POST,DELETE`.
66+
* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (e.g., 'GET,PUT,POST') or an array (e.g., `['GET', 'PUT', 'POST']`). Default: [CORS-safelisted methods](https://fetch.spec.whatwg.org/#methods) `GET,HEAD,PUT`.
6767
* `hook`: See [Custom Fastify hook name](#custom-fastify-hook-name). Default: `onRequest`.
6868
* `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Type,Authorization'`) or an array (e.g., `['Content-Type', 'Authorization']`). Defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header if not specified.
6969
* `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (e.g., `'Content-Range,X-Content-Range'`) or an array (e.g., `['Content-Range', 'X-Content-Range']`). No custom headers are exposed if not specified.

index.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ const {
88

99
const defaultOptions = {
1010
origin: '*',
11-
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
11+
methods: 'GET,HEAD,POST',
1212
hook: 'onRequest',
1313
preflightContinue: false,
1414
optionsSuccessStatus: 204,

test/preflight.test.js

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ test('Should reply to preflight requests', async t => {
3030
}
3131
t.assert.deepStrictEqual(actualHeaders, {
3232
'access-control-allow-origin': '*',
33-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
33+
'access-control-allow-methods': 'GET,HEAD,POST',
3434
vary: 'Access-Control-Request-Headers',
3535
'content-length': '0'
3636
})
@@ -65,7 +65,7 @@ test('Should add access-control-allow-headers to response if preflight req has a
6565
}
6666
t.assert.deepStrictEqual(actualHeaders, {
6767
'access-control-allow-origin': '*',
68-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
68+
'access-control-allow-methods': 'GET,HEAD,POST',
6969
'access-control-allow-headers': 'x-requested-with',
7070
vary: 'Access-Control-Request-Headers',
7171
'content-length': '0'
@@ -98,7 +98,7 @@ test('Should reply to preflight requests with custom status code', async t => {
9898
}
9999
t.assert.deepStrictEqual(actualHeaders, {
100100
'access-control-allow-origin': '*',
101-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
101+
'access-control-allow-methods': 'GET,HEAD,POST',
102102
vary: 'Access-Control-Request-Headers',
103103
'content-length': '0'
104104
})
@@ -162,7 +162,7 @@ test('Should reply to all options requests', async t => {
162162
}
163163
t.assert.deepStrictEqual(actualHeaders, {
164164
'access-control-allow-origin': '*',
165-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
165+
'access-control-allow-methods': 'GET,HEAD,POST',
166166
vary: 'Access-Control-Request-Headers',
167167
'content-length': '0'
168168
})
@@ -204,7 +204,7 @@ test('Should support a prefix for preflight requests', async t => {
204204
}
205205
t.assert.deepStrictEqual(actualHeaders, {
206206
'access-control-allow-origin': '*',
207-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
207+
'access-control-allow-methods': 'GET,HEAD,POST',
208208
vary: 'Access-Control-Request-Headers',
209209
'content-length': '0'
210210
})
@@ -329,7 +329,7 @@ test('Should reply to all preflight requests when strictPreflight is disabled',
329329
}
330330
t.assert.deepStrictEqual(actualHeaders, {
331331
'access-control-allow-origin': '*',
332-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
332+
'access-control-allow-methods': 'GET,HEAD,POST',
333333
vary: 'Access-Control-Request-Headers',
334334
'content-length': '0'
335335
})
@@ -360,7 +360,7 @@ test('Default empty 200 response with preflightContinue on OPTIONS routes', asyn
360360
}
361361
t.assert.deepStrictEqual(actualHeaders, {
362362
'access-control-allow-origin': '*',
363-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
363+
'access-control-allow-methods': 'GET,HEAD,POST',
364364
vary: 'Access-Control-Request-Headers'
365365
})
366366
})
@@ -394,7 +394,7 @@ test('Can override preflight response with preflightContinue', async t => {
394394
}
395395
t.assert.deepStrictEqual(actualHeaders, {
396396
'access-control-allow-origin': '*',
397-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
397+
'access-control-allow-methods': 'GET,HEAD,POST',
398398
vary: 'Access-Control-Request-Headers'
399399
})
400400
})
@@ -429,7 +429,7 @@ test('Should support ongoing prefix ', async t => {
429429
}
430430
t.assert.deepStrictEqual(actualHeaders, {
431431
'access-control-allow-origin': '*',
432-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
432+
'access-control-allow-methods': 'GET,HEAD,POST',
433433
vary: 'Access-Control-Request-Headers',
434434
'content-length': '0'
435435
})
@@ -455,7 +455,7 @@ test('Should support ongoing prefix ', async t => {
455455
}
456456
t.assert.deepStrictEqual(actualHeaders, {
457457
'access-control-allow-origin': '*',
458-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
458+
'access-control-allow-methods': 'GET,HEAD,POST',
459459
vary: 'Access-Control-Request-Headers',
460460
'content-length': '0'
461461
})
@@ -481,7 +481,7 @@ test('Should support ongoing prefix ', async t => {
481481
}
482482
t.assert.deepStrictEqual(actualHeaders, {
483483
'access-control-allow-origin': '*',
484-
'access-control-allow-methods': 'GET,HEAD,PUT,PATCH,POST,DELETE',
484+
'access-control-allow-methods': 'GET,HEAD,POST',
485485
vary: 'Access-Control-Request-Headers',
486486
'content-length': '0'
487487
})

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy