Allow disabling of CORS

It is desirable to disable CORS for development purposes in order to validate same-origin policy and web security concepts. Additionally, json-server could be used to show proxy concepts. This change adds a new CLI option `--no-cors` which disables CORS by not adding the CORS middleware. The change is backwards compatible since the default behavior, i.e. adding CORS headers is retained.
2025-07-28 04:32:24 +08:00 · 2016-01-17 08:27:05 +01:00
parent b751cec815
commit c50532dd75
4 changed files with 46 additions and 2 deletions
--- a/test/cli/index.js
+++ b/test/cli/index.js
@ -53,6 +53,15 @@ describe('cli', function () {
      request.get('/posts').expect(200, done)
    })

+    it('should send CORS headers', function (done) {
+      var origin = 'http://example.com'
+
+      request.get('/posts')
+        .set('Origin', origin)
+        .expect('access-control-allow-origin', origin)
+        .expect(200, done)
+    })
+
  })

  describe('seed.js', function () {
@ -140,6 +149,33 @@ describe('cli', function () {

  })

+  describe('db.json --no-cors=true', function () {
+
+    beforeEach(function (done) {
+      child = cli(['fixtures/seed.js', '--no-cors=true'])
+      serverReady(PORT, done)
+    })
+
+    it('should not send Access-Control-Allow-Origin headers', function (done) {
+      var origin = 'http://example.com'
+
+      request.get('/posts')
+        .set('Origin', origin)
+        .expect(200)
+        .end(function (err, res) {
+          if (err) {
+            done(err)
+            return
+          } else if ('access-control-allow-origin' in res.headers) {
+            done(new Error('CORS headers were not excluded from response'))
+          } else {
+            done()
+          }
+        })
+    })
+
+  })
+
  // FIXME test fails on OS X and maybe on Windows
  // But manually updating db.json works...
  if (os.platform() === 'linux') {