Merge pull request #20044 from strapi/fix/cors-5

Make cors middleware compliant with the intended spec
2025-12-28 07:33:17 +00:00 · 2024-04-18 10:39:32 +02:00 · 2024-04-18 10:39:32 +02:00 · 0e2e3dbbe6
commit 0e2e3dbbe6
parent 0742c5784d 8515737c99
4 changed files with 21 additions and 14 deletions
--- a/packages/core/strapi/package.json
+++ b/packages/core/strapi/package.json
@ -111,7 +111,7 @@
    "watch": "pack-up watch"
  },
  "dependencies": {
-    "@koa/cors": "3.4.3",
+    "@koa/cors": "5.0.0",
    "@koa/router": "10.1.1",
    "@strapi/admin": "4.23.1",
    "@strapi/content-releases": "4.23.1",
--- a/packages/core/strapi/src/middlewares/cors.ts
+++ b/packages/core/strapi/src/middlewares/cors.ts
@ -38,6 +38,10 @@ export const cors: Common.MiddlewareFactory<Config> = (config) => {

  return koaCors({
    async origin(ctx) {
+      if (!ctx.get('Origin')) {
+        return '*';
+      }
+
      let originList: string | string[];

      if (typeof origin === 'function') {
@ -46,17 +50,11 @@ export const cors: Common.MiddlewareFactory<Config> = (config) => {
        originList = origin;
      }

-      const whitelist = Array.isArray(originList) ? originList : originList.split(/\s*,\s*/);
-
-      const requestOrigin = ctx.headers.origin ?? '';
-      if (whitelist.includes('*')) {
-        return credentials ? requestOrigin : '*';
+      if (Array.isArray(originList)) {
+        return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : false;
      }

-      if (!whitelist.includes(requestOrigin)) {
-        return ctx.throw(`${requestOrigin} is not a valid origin`);
-      }
-      return requestOrigin;
+      return originList;
    },
    exposeHeaders: expose,
    maxAge,
--- a/packages/core/types/package.json
+++ b/packages/core/types/package.json
@ -44,7 +44,7 @@
  },
  "dependencies": {
    "@casl/ability": "6.5.0",
-    "@koa/cors": "3.4.3",
+    "@koa/cors": "5.0.0",
    "@koa/router": "10.1.1",
    "@strapi/database": "4.23.1",
    "@strapi/logger": "4.23.1",
--- a/yarn.lock
+++ b/yarn.lock
@ -4136,7 +4136,16 @@ __metadata:
  languageName: node
  linkType: hard

-"@koa/cors@npm:3.4.3, @koa/cors@npm:^3.1.0":
+"@koa/cors@npm:5.0.0":
+  version: 5.0.0
+  resolution: "@koa/cors@npm:5.0.0"
+  dependencies:
+    vary: "npm:^1.1.2"
+  checksum: 3a0e32fbc422a5f9a41540ce3b7499d46073ddb0e4e851394a74bac5ecd0eaa1f24a8f189b7bd6a50c5863788ae6945c52d990edf99fdd2151a4404f266fe2e7
+  languageName: node
+  linkType: hard
+
+"@koa/cors@npm:^3.1.0":
  version: 3.4.3
  resolution: "@koa/cors@npm:3.4.3"
  dependencies:
@ -8763,7 +8772,7 @@ __metadata:
  version: 0.0.0-use.local
  resolution: "@strapi/strapi@workspace:packages/core/strapi"
  dependencies:
-    "@koa/cors": "npm:3.4.3"
+    "@koa/cors": "npm:5.0.0"
    "@koa/router": "npm:10.1.1"
    "@strapi/admin": "npm:4.23.1"
    "@strapi/content-releases": "npm:4.23.1"
@ -8867,7 +8876,7 @@ __metadata:
  resolution: "@strapi/types@workspace:packages/core/types"
  dependencies:
    "@casl/ability": "npm:6.5.0"
-    "@koa/cors": "npm:3.4.3"
+    "@koa/cors": "npm:5.0.0"
    "@koa/router": "npm:10.1.1"
    "@strapi/database": "npm:4.23.1"
    "@strapi/logger": "npm:4.23.1"