serverless-cors-middleware v1.0.1
Serverless CORS middleware
Serverless comes with a basic CORS implementation. With credentialed requests, the documentation suggests the application handle the response.
CORS is an application responsibility, and hence this library aims to ease the implementation of CORS using simple middleware add to an existing HTTP handler. This is similar to the expressjs middleware implementation.
How to use
import cors from 'serverless-cors-middleware';
const yourConfig = {....}
const handler = cors(yourConfig)(yourHandler);
This handles both the preflight request and the modification of the normal HTTP response.
Credentialed requests and wildcards
Credentialed requests and wildcards When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.
Because the request headers in the above example include a Cookie header, the request would fail if the value of the Access-Control-Allow-Origin header were "". But it does not fail: Because the value of the Access-Control-Allow-Origin header is "http://foo.example" (an actual origin) rather than the "" wildcard, the credential-cognizant content is returned to the invoking web content.
Credentials are cookies, authorization headers or TLS client certificates.
References
- https://www.w3.org/TR/cors/
- https://github.com/expressjs/cors/blob/master/test/test.js
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials