Sails: cors origin issue in sails js.

@Narendra93 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. _(Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)_
• tell us why this issue is important to you and your team. What are you trying to accomplish? _(Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)_
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. _(Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)_
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. _(Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)_
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. _(Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)_
  

  ---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

What error are you seeing? this is not likely to be an issue

@Narendra93 - Thanks for bringing this us. To better understand this issue, can you provide us more info about the error and what you're seeing?

@johnabrams7 I'm seeing a similar problem with Sails 1.2.3 on Node 8.16.2. Here's what's happening:

I have a global CORS setup like thus, in accordance with the documentation:

/**
 * Security config
 */

module.exports.security = {
  cors: {
    allRoutes: true,
    allowOrigins: '*',
    allowCredentials: false,
    allowRequestHeaders: 'content-type,accept,authorization',
    allowRequestMethods: 'GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD',
    allowAnyOriginWithCredentialsUnsafe: true
  }
}

Once I request an unsecured endpoint (https://api.smartrecycling.org.uk/api/v1/cabin - as in, I can access it in a browser) using Axios in my app, a few things happen:

• The web console reports a CORS error (Access to XMLHttpRequest at 'https://api.smartrecycling.org.uk/api/v1/cabin' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.).
• This error happens both in Chrome, Brave & Firefox
• If I check the "Network" tab of the web inspector, I see NO options request, a 200 response for the aforementioned endpoint, but no data

I then continued to try a "raw" OPTIONS request using Paw (a HTTP client like Postman):

Request:

OPTIONS /api/v1/cabin HTTP/1.1
Origin: http://localhost:3000
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type, Authorization
Host: api.smartrecycling.org.uk
Connection: close
User-Agent: Paw/3.1.9 (Macintosh; OS X/10.15.1) GCDHTTPRequest

Response:

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Wed, 27 Nov 2019 10:21:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 13
Connection: close
X-Powered-By: Sails <sailsjs.com>
Allow: GET,HEAD,POST
ETag: W/"d-bMedpZYGrVt1nR4x+qdNZ2GqyRo"
Strict-Transport-Security: max-age=63072000; includeSubdomains

GET,HEAD,POST

Now, that response does not look right to me, considering the configuration above. Bug?

In addition: when accessing the same endpoint using websockets, it just works.

@fabdrol Thanks for the detailed exploration of this. I'll bring this up with the team for further examination.
@Narendra93 What are your thoughts on the issue above?

Thanks @johnabrams7, let me know how I can help.

@fabdrol @Narendra93 Have you also tried setting allowCredentials: true, to allow browser cookies to be shared in CORS requests? Curious to see how that's also affecting allowAnyOriginWithCredentialsUnsafe: true for multiple systems being that it's particularly designed to work alongside having allowOrigins: '*' and allowCredentials: true at the same time.

@johnabrams7 I did try that, but that didn't seem to work. I'll give it another try just to be sure

@fabdrol Appreciate the help. Would you be willing to provide a minimal sails repo that reproduces this issue for the community?

@johnabrams7 Sorry, I completely didn't see this message. In any case, I have additional information, which may or may not be related: I have a different Sails installation where CORS works in nearly all cases - except when I try to do a file upload (using fetch API with mode set to cors)

Hi @fabdrol, thanks for bringing this issue to our attention. What were your expecting to see for that particular response to the OPTIONS request?