-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting corsHandler.origin
issues
#515
Comments
Hi @StrangeRanger Have you already tried the following? # nuxt.config.ts
# It worked.
export default {
routeRules: {
security: {
+ corsHandler: false // This temporarily solved the problem.
},
headers: {
'Access-Control-Allow-Origin': ["https://hthompson.dev", "https://*.hthompson.dev"]
}
}
},
} However, it did not solve the root of the problem and I am still investigating the cause. 🤔 |
Sorry for not getting back to you sooner, @myaaaapon; I have not tried that. Though, with disabling the As another note, I don't have export default defineNuxtConfig({
........................,
routeRules: {
headers: {
'Access-Control-Allow-Origin': ["https://hthompson.dev/", "https://*.hthompson.dev"]
}
},
security: {
corsHandler: false,
...........
},
............
}); |
Thank you StrangeRanger to open this issue, actually I have facing with this few days ago and struck on this. After try setting the cors in routeRules -> it worked on windows browser and android. But I wondering have you tried on ios browser? I always get 403 once request api except change the 'Access-Control-Allow-Origin' to '*'. |
Having the same issue here, would be nice if this can get fixed. |
@Morgbn would you be able to help here? :) |
Hello, don't know how I can help,
if I do: curl 'http://localhost:3300/api/contact' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'Origin: https://hthompson.dev' \
--data-raw '{}' \
--verbose I have Useful links: |
Thanks for the help @Morgbn . You are a 🌟 |
@whitersun Thank you for your reply. Your workaround works for me only if I specify the route (i.e., @Morgbn Unfortunately, your method didn't work for me. As for your @Baroshem, I just wanted to ping you in this response in case it provided any helpful information. I've also provided my current nuxt.config.ts: // https://nuxt.com/docs/api/configuration/nuxt-config
import vuetify, { transformAssetUrls } from "vite-plugin-vuetify";
export default defineNuxtConfig({
plugins: [
process.env.NODE_ENV !== "development"
? "plugins/production/vue-matomo.client.js"
: "",
process.env.NODE_ENV !== "development"
? "plugins/production/cloudflare.client.js"
: "",
].filter(Boolean),
devtools: { enabled: true },
build: {
transpile: ["vuetify"],
},
modules: [
"@nuxt/eslint",
"nuxt-security",
"@nuxt/devtools",
(_options, nuxt) => {
nuxt.hooks.hook("vite:extendConfig", (config) => {
config.plugins.push(vuetify({ autoImport: true }));
});
},
],
routeRules: {
"/*": {
headers: {
"Access-Control-Allow-Origin": [
"https://hthompson.dev",
"https://*.hthompson.dev",
],
},
},
},
security: {
enabled: true,
strict: true,
nonce: true,
corsHandler: false,
//corsHandler: {
// origin: ["https://hthompson.dev", "https://*.hthompson.dev"],
//},
allowedMethodsRestricter: {
methods: ["GET", "HEAD", "OPTIONS"],
},
headers: {
crossOriginEmbedderPolicy:
process.env.NODE_ENV === "development" ? "unsafe-none" : "require-corp",
contentSecurityPolicy: {
"default-src": ["'self'"],
"img-src": ["'self'", "blob:"],
"style-src": ["'self'", "https:", "'unsafe-inline'"],
"connect-src": ["'self'", "https://analytics.hthompson.dev"],
"script-src": [
"'self'",
"https:",
"'unsafe-inline'",
"'strict-dynamic'",
"'nonce-{{nonce}}'",
"https://analytics.hthompson.dev",
"https://files.hthompson.dev/scripts/tracking.js",
"https://static.cloudflareinsights.com",
],
},
referrerPolicy: "same-origin",
strictTransportSecurity: {
maxAge: 31536000,
includeSubdomains: true,
preload: true,
},
xContentTypeOptions: "nosniff",
xFrameOptions: "SAMEORIGIN",
xXSSProtection: "1; mode=block",
},
hidePoweredBy: true,
},
vite: {
vue: {
template: {
transformAssetUrls,
},
},
},
css: ["~/assets/css/main.css"],
telemetry: false,
compatibilityDate: "2024-10-19",
}); Here is a link to easily display the headers of the current version of my website to see it in action: |
Description
I encountered a similar issue as described in Issue 505 and Issue 497. However, I believe my case might be slightly different, so I’m opening a new issue.
When attempting to configure the
corsHandler.origin
to a specific value, such ashttps://hthompson.dev
, theaccess-control-allow-origin
header remains set to*
instead of reflecting the specified origin. I have tried various configurations, but the issue persists. In Issue 505, the author mentioned the direct use of theaccess-control-allow-origin
header, which I may have misunderstood, but applying that suggestion did not resolve the problem.Ultimately, my goal is to configure the origin to something like
["https://hthompson.dev", "https://*.hthompson.dev"]
or["https://hthompson.dev", "https://analytics.hthompson.dev"]
. But right now, I'm stumped.Version
nuxt-security
:2.0.0-rc.9
nuxt
:3.12.4
Reproduction Link
Repository Link
Steps to Reproduce
nuxt-security
branch:git checkout nuxt-security
.pnpm install && pnpm run build
.node .output/server/index.mjs
.curl -I http://localhost:3000
.access-control-allow-origin
header remains set to*
.Expected Behavior
The
access-control-allow-origin
header should be set according to the configuration specified in thenuxt.config.ts
file.Actual Behavior
The header defaults to
access-control-allow-origin: *
, regardless of the specified configuration.The text was updated successfully, but these errors were encountered: