Allow not returning any access control headers if the Origin is not allowed to access the resource
mjarosie opened this issue · comments
Describe the feature
At the moment the library does not allow handling the scenario in which the origin is not allowed to access the resource: it expects options. origin to always return a string. That leads to developers having to come up with a "workaround" configuration (for example here or here) which is not ideal:
- I'd rather not return any allowed domains to the caller if the caller is not allowed to call my API in the first place as it might undisclose details unnecessarily.
- Returning
false/undefinedfromoriginfunction causes the middleware to be completely ignored which seems to be a feature of this library as there's a unit test that proves this behaviour. - Returning a
nullis not a good practice because of security issues as described in this issue.
If the request Origin is not allowed, the middleware should be able to respond to pre-flight requests immediately with no Access-Control headers being returned at all.
Checklist
- I have searched through GitHub issues for similar issues.
- I have completely read through the README and documentation.
To set no Access-Control headers at all in the response, return an empty string "" from the options.origin function.