Skip to content

Incorrect CORS response when origin is set to a String #365

New issue
New issue
Open
Bug
#372
Open
Incorrect CORS response when origin is set to a String#365
Bug
#372
Labels
bug
@ShanikaEdiriweera

Description

@ShanikaEdiriweera
ShanikaEdiriweera
opened on Sep 29, 2025

Environment information

Version: 2.8.5

Platform: Microsoft Windows NT 10.0.26100.0 x64

Node.js version: v20.19.4

Any other relevant information:

What steps will reproduce the bug?

  const corsOptions = {
    methods: ['OPTIONS', 'GET', 'POST'],
    origin: 'https://example.com',
  };

  • Requests will respond to any request with access-control-allow-origin : https://example.com

  • If cors options origin is type String,

    cors/lib/index.js

    Line 47 in 9a9a760

    } else if (isString(options.origin)) {
    does not check for isOriginAllowed

    cors/lib/index.js

    Line 19 in 9a9a760

    function isOriginAllowed(origin, allowedOrigin) {

  • Is this intended CORS behavior or access-control-allow-origin response header should not be sent when origin does not match?

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions