Skip to content
This repository has been archived by the owner on Mar 7, 2020. It is now read-only.

Suggestion - support OPTIONS verb #7

Open
nerdguru opened this issue Sep 6, 2018 · 4 comments
Open

Suggestion - support OPTIONS verb #7

nerdguru opened this issue Sep 6, 2018 · 4 comments
Labels
design/review

Comments

@nerdguru
Copy link

nerdguru commented Sep 6, 2018

Hi there,

When using OpenFaaS and Node.js to build an API accessible by Javascript running in the browser, browsers will make a preflight OPTIONS call prior to a POST. As currently constructed, a function can respond to POST and GET verbs where they can choose to alter the Access-Control-Allow-Origin header so that CORS calls can be made in the browser, but not OPTIONS.

As a workaround for my own code, I simply added the following in index.js on line 85:

app.options("/*", function(req, res, next){ res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS'); res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With'); res.send(200); });

However, I'm not sure that's the best long term fix. I thought I'd document this here and I'm willing to submit a PR for what I've done if you're interested.
@alexellis alexellis changed the title CORS headers on OPTIONS verb Suggestion - support OPTIONS verb Sep 30, 2018
@alexellis
Copy link
Member

I am not sure that opening CORS up to any origin makes sense.

Access-Control-Allow-Origin', '*'

Perhaps you could specify a list of domains / URIs at least?

@nerdguru
Copy link
Author

Agreed that's not what you'd set it to for a production deployment, but my point was more that there isn't a mechanism to set it currently at all for OPTIONS.

@alexellis
Copy link
Member

Does this pass all the way through from the API Gateway without any issues?

If so then perhaps you could fork this repo and use faas-cli template pull as needed for your custom override. There may be an issue tracking CORS control at a wider level over at openfaas/faas (have a search through the issues)

Some people run a reverse proxy in front of the gateway and where they serve their static content (assuming this is your current issue) as a work-around. There is also documentation over at https://docs.openfaas.com/ on CORS. For more info perhaps @kenfdev could advise?

Alex

nerdguru added a commit to nerdguru/node8-express-template that referenced this issue Oct 1, 2018
@nerdguru
Fixes openfaas-incubator#7 by giving function developer the ability t…
9c03e35 
…o branch off of event.method value and handle OPTIONS CORS headers
@nerdguru
Copy link
Author

nerdguru commented Oct 1, 2018

OK, so I played around with this today and the fix is really simple, see my PR. The template already could pass control of the response headers for GET and POST verbs, all I did was add another line per sub-template to do the same for OPTIONS so now a function developer can handle CORS headers as they see fit without requiring a reverse proxy.

@nerdguru nerdguru mentioned this issue Oct 4, 2018
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
design/review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nerdguru @alexellis