No CORS headers are set on the client javascript file

[aeons]

You want to:

• report a bug
• request a feature

Current behaviour

When serving the client via settings the serveClient option, the client is not served with the same CORS headers as the actual socket.io server.

Steps to reproduce (if the current behaviour is a bug)

Start a server with serveClient: true and request /socket.io/socket.io.js with an Origin header set.

Observe that the response does not have any Access-Control-Allow-Origin header set.

Expected behaviour

That the response has the same CORS headers as the normal operation.

Other information (e.g. stacktraces, related issues, suggestions how to fix)

This function (and the corresponding serveMap) should do the same origin checking as this code.

[eltharynd]

Is it me or CORS don't have to be "set" on client side... you have to tell the server which cors will be accepted.

Here's my implementation to allow all in typescript

this.app.use(cors({
    origin: '*',
    optionsSuccessStatus: 200,
}))

the browser is responsible for indicating the origin domain and you have no control over that for security reasons...

I might be mistaken..

Also, even if, this should probably go on the socket.io-client github :)

[aeons]

The Access-Control-Allow-Origin header is a response header from the server, indicating which origins are allowed to use the resource. Browsers respect this header.

If you set the serveClient option in socket.io, it serves the javascript of the client from the socket.io server. However, the function(s) responsible for doing this, does not set the Access-Control-Allow-Origin header, which means that if you try to request the client javascript in a cross-origin environment, the request fails.

The correct headers are applied to the actual socket.io websocket connection, so I'm suggesting that the same logic is applied to the served client sources.

[Apollon77]

I also stumble over the same issue and yes CORS needs to be set by the server also from my knowledge ;-) Can you do a PR? ;-)

[Keepcase]

I was able to fix my CORS issues using the handlePreflightRequest referenced in socketio/engine.io#279 (comment) but I couldn't use the latest changes implemented for engine.io v4 in socket.io (2.3.0).

[Apollon77]

@Keepcase sorry but I do not understand it ... were yiu able to fix it or not? ;-) Or do you mean that you know how/where to fix but in engine.io and noch in socket.io?! Or what?
What would be needed to be patched?

[Keepcase]

My apologies @Apollon77, let me clarify. Perhaps I'm misunderstanding the issue but I was suggesting to try the change that I referenced on the socket.io server to see if that fixed the issue @aeons was running into.

I recently ran into issues with CORS and the referenced comment fixed it for my use case. I was getting errors on the browser similar to socketio/engine.io#574 but I fixed it with the code referenced in socketio/engine.io#574 (comment) which I implemented on the socket.io server.

I was just mentioning that the latest changes made in socketio/engine.io#279 (comment) referencing cors was not working for socket.io (2.3.0).

[bilalsha]

Can I work on it @darrachequesne

[darrachequesne]

@bilalsha sure!

[pushkarsingh019]

Has the issue been resolved, if not, I would like to work on it.

[Apollon77]

I assume it is still there :-(

[hritik-dubey]

@darrachequesne issue is still there ?

[darrachequesne]

This should be fixed by 63f181c, included in version 4.7.0.

Please reopen if needed.