Giters

hapijs / hapi

The Simple, Secure Framework Developers Trust

Home Page:https://hapi.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CORS issue when using additional headers

netgfx opened this issue · comments

commented

Runtime

browser

Runtime version

125.0.6422.142

Module version

21.3.10

Last module version without issue

No response

Used with

hapi

Any other relevant information

const server = Hapi.server({
port: 3000,
host: 'localhost',
"routes": {
"cors": {
"origin": ["*"],
"additionalHeaders": ["Ngrok-Skip-Browser-Warning"]
}
}
});

I have setup a nodejs app with hapi endpoints, and exposed them through ngrok
I'm sending the extra header Ngrok-Skip-Browser-Warning to avoid the warning page of ngrok, but I get response CORS error on preflight

Access to fetch at 'https://....ngrok-free.app/screenshot?url=https://www.git-scm.com/' from origin 'https://something.something.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://something.something.app, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I have also tried cors: true but then it says that there is an extra header present and still fails.

API request from postman works correctly.

What are you trying to achieve or the steps to reproduce?

Making a simple fetch request towards the endpoint

fetch(${API_URL}/screenshot?url=${data.url}, {
method: "GET",
headers: {
"Content-Type": "application/json",
"ngrok-skip-browser-warning": "any",
},
})

What was the result you got?

 Access to fetch at 'https://....ngrok-free.app/screenshot?url=https://www.git-scm.com/' from origin 'https://something.something.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://something.something.app, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

What result did you expect?

No cors error

commented

This seems like a usage or integration issue with ngrok.

We don't support ngrok, so if you think there is a bug in hapi, please isolate the issue to it.

commented

That might be the case yes. I ended up switching to another library that probably has ngrok support since it was needed in my use case.