middleware for dynamically or statically enabling CORS in express/connect applications. 

dougwilson

troygoode

cors

middleware for dynamically or statically enabling CORS in express/connect applications

  "author": "Troy Goode <troygoode@gmail.com> (https://github.com/troygoode/)",

  "description": "middleware for dynamically or statically enabling CORS in express/connect applications",

  "keywords": ["cors", "express", "connect", "middleware"],

  "homepage": "https://github.com/expressjs/cors/",

    "url": "git://github.com/expressjs/cors.git"

      "web": "https://github.com/troygoode/"

  "bugs": {"url": "https://github.com/expressjs/cors/issues"},

    "test": "npm run lint && ./node_modules/mocha/bin/mocha",

    "lint": "./node_modules/eslint/bin/eslint.js lib test"

CORS is a node.js package for providing a [Connect](http://www.senchalabs.org/connect/)/[Express](http://expressjs.com/) middleware that can be used to enable [CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) with various options.

**[Follow me (@troygoode) on Twitter!](https://twitter.com/intent/user?screen_name=troygoode)**

[![NPM](https://nodei.co/npm/cors.png?downloads=true&stars=true)](https://nodei.co/npm/cors/)

[![build status](https://secure.travis-ci.org/expressjs/cors.svg?branch=master)](http://travis-ci.org/expressjs/cors)

  * [Simple Usage](#simple-usage-enable-all-cors-requests)

  * [Enable CORS for a Single Route](#enable-cors-for-a-single-route)

  * [Configuring CORS](#configuring-cors)

  * [Configuring CORS Asynchronously](#configuring-cors-asynchronously)

  * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight)

* [Configuration Options](#configuration-options)

## Installation (via [npm](https://npmjs.org/package/cors))

### Simple Usage (Enable *All* CORS Requests)

app.get('/products/:id', function(req, res, next){

  res.json({msg: 'This is CORS-enabled for all origins!'});

  console.log('CORS-enabled web server listening on port 80');

app.get('/products/:id', cors(), function(req, res, next){

  res.json({msg: 'This is CORS-enabled for a Single Route'});

  optionsSucccessCode: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204

  optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204

app.get('/products/:id', cors(corsOptions), function(req, res, next){

  res.json({msg: 'This is CORS-enabled for only example.com.'});

var whitelist = ['http://example1.com', 'http://example2.com'];

    var originIsWhitelisted = whitelist.indexOf(origin) !== -1;

    callback(originIsWhitelisted ? null : 'Bad Request', originIsWhitelisted);

  res.json({msg: 'This is CORS-enabled for a whitelisted domain.'});

Certain CORS requests are considered 'complex' and require an initial

`OPTIONS` request (called the "pre-flight request"). An example of a

'complex' CORS request is one that uses an HTTP verb other than

GET/HEAD/POST (such as DELETE) or that uses custom headers. To enable

pre-flighting, you must add a new OPTIONS handler for the route you want

app.options('/products/:id', cors()); // enable pre-flight request for DELETE request

app.del('/products/:id', cors(), function(req, res, next){

You can also enable pre-flight across-the-board like so:

app.options('*', cors()); // include before other routes

var corsOptionsDelegate = function(req, callback){

  if(whitelist.indexOf(req.header('Origin')) !== -1){

    corsOptions = { origin: true }; // reflect (enable) the requested origin in the CORS response

    corsOptions = { origin: false }; // disable CORS for this request

  callback(null, corsOptions); // callback expects two parameters: error and options

app.get('/products/:id', cors(corsOptionsDelegate), function(req, res, next){

* `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values:

 - `Boolean` - set `origin` to `true` to reflect the [request origin](http://tools.ietf.org/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS.

 - `String` - set `origin` to a specific origin. For example if you set it to `"http://example.com"` only requests from "http://example.com" will be allowed.

 - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\.com$/` will reflect any request that is coming from an origin ending with "example.com".

 - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `["http://example1.com", /\.example2\.com$/]` will accept any request from "http://example1.com" or from a subdomain of "example2.com".

 - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature `err [object], allow [bool]`) as the second.

* `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: `['GET', 'PUT', 'POST']`).

		{
		"name": "cors",
		"version": "2.8.0",
		"version": "2.8.1",
		"author": "Troy Goode <troygoode@gmail.com> (https://github.com/troygoode/)",
		@@ -5,0 +5,0 @@ "description": "middleware for dynamically or statically enabling CORS in express/connect applications",

		@@ -56,3 +56,3 @@ # `cors`
		app.get('/products/:id', cors(), function(req, res, next){
		res.json({msg: 'This is CORS-enabled for all origins!'});
		res.json({msg: 'This is CORS-enabled for a Single Route'});
		});
		@@ -74,3 +74,3 @@
		origin: 'http://example.com',
		optionsSucccessCode: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
		optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
		};
		@@ -77,0 +77,0 @@

Improved metrics