opensource/json-server
1
0
Fork 0
mirror of https://github.com/typicode/json-server.git synced 2025-07-28 04:32:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

Allow disabling of CORS

Browse Source 
It is desirable to disable CORS for development purposes in order to
validate same-origin policy and web security concepts. Additionally,
json-server could be used to show proxy concepts.

This change adds a new CLI option `--no-cors` which disables CORS by not
adding the CORS middleware. The change is backwards compatible since the
default behavior, i.e. adding CORS headers is retained.
This commit is contained in:
Ben Ripkens
2016-01-17 08:27:05 +01:00
parent b751cec815
commit c50532dd75
4 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/cli/index.js
View File

@ -36,6 +36,10 @@ module.exports = function () {
alias: 'ro', alias: 'ro',
description: 'Allow only GET requests' description: 'Allow only GET requests'
}, },
'no-cors': {
alias: 'nc',
description: 'Disable Cross-Origin Resource Sharing'
},
snapshots: { snapshots: {
alias: 'S', alias: 'S',
description: 'Set snapshots directory', description: 'Set snapshots directory',
@ -58,6 +62,7 @@ module.exports = function () {
.boolean('watch') .boolean('watch')
.boolean('read-only') .boolean('read-only')
.boolean('quiet') .boolean('quiet')
.boolean('no-cors')
.help('help').alias('help', 'h') .help('help').alias('help', 'h')
.version(pkg.version).alias('version', 'v') .version(pkg.version).alias('version', 'v')
.example('$0 db.json', '') .example('$0 db.json', '')

3
src/cli/run.js
View File

@ -44,7 +44,8 @@ function createApp (source, object, routes, argv) {
var defaultsOpts = { var defaultsOpts = {
logger: !argv.quiet, logger: !argv.quiet,
readOnly: argv.readOnly readOnly: argv.readOnly,
noCors: argv.noCors
} }
if (argv.static) { if (argv.static) {

4
src/server/defaults.js
View File

@ -32,7 +32,9 @@ module.exports = function (opts) {
} }
// Enable CORS for all the requests, including static files // Enable CORS for all the requests, including static files
arr.push(cors({ origin: true, credentials: true })) if (!opts.noCors) {
arr.push(cors({ origin: true, credentials: true }))
}
if (process.env.NODE_ENV === 'development') { if (process.env.NODE_ENV === 'development') {
// only use in development // only use in development

36
test/cli/index.js
View File

@ -53,6 +53,15 @@ describe('cli', function () {
request.get('/posts').expect(200, done) request.get('/posts').expect(200, done)
}) })
it('should send CORS headers', function (done) {
var origin = 'http://example.com'
request.get('/posts')
.set('Origin', origin)
.expect('access-control-allow-origin', origin)
.expect(200, done)
})
}) })
describe('seed.js', function () { describe('seed.js', function () {
@ -140,6 +149,33 @@ describe('cli', function () {
}) })
describe('db.json --no-cors=true', function () {
beforeEach(function (done) {
child = cli(['fixtures/seed.js', '--no-cors=true'])
serverReady(PORT, done)
})
it('should not send Access-Control-Allow-Origin headers', function (done) {
var origin = 'http://example.com'
request.get('/posts')
.set('Origin', origin)
.expect(200)
.end(function (err, res) {
if (err) {
done(err)
return
} else if ('access-control-allow-origin' in res.headers) {
done(new Error('CORS headers were not excluded from response'))
} else {
done()
}
})
})
})
// FIXME test fails on OS X and maybe on Windows // FIXME test fails on OS X and maybe on Windows
// But manually updating db.json works... // But manually updating db.json works...
if (os.platform() === 'linux') { if (os.platform() === 'linux') {