Customize access-control-allow-origin headers in order to set specific origin domains

[SkepticNerdGuy]

What's the problem this feature will solve?

Currently, with --cors enabled access-control-allow-origin hard coded to *. If http-server is behind features that require authentication (client SSL certs in my case), the fetch spec requires browsers to validate that the requesting server be set as an allowed origin. So when server1 makes a request to server2 it fails because of the wildcard. This is the intended behavior as designed. Firefox currently (correctly) follows the fetch spec but, Chrome and Edge do not. At some point, chrome and edge 'should' eventually be fixed.

Chrome and Edge still send certs unprompted when executing the fetch command, but when fetch is set to {credentials:"include"} in server1 requesting information from server2 you now get this error:

Access to fetch at 'https://server2.tld' from origin 'https://server1.tld' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Describe the solution you'd like

Requesting the ability to customize access-control-allow-origin headers in order to pass specific domains or set * manually.

This will allow http-server to be used correctly with authentication when a fetch is set to { credentials:"include" } .

Alternative Solutions

When requesting server does not have fetch is set to { credentials:"include" }

• Firefox: in about:config set network.cors_preflight.allow_client_cert to true. Otherwise browser fails preflight because certs are not passed.
• Chrome: in chrome://flags set Omit TLS client certificates if credential mode disallows to disabled. This is also the default behavior, chrome automatically sends credentials, this is against the spec.
• Edge: no changes, flags are not available for this setting (default behavior, edge automatically sends credentials, this is against the spec.

When fetch is set to { credentials:"include" } on server1

Fails on all browsers

Access to fetch at 'https://server2.tld' from origin 'https://server1.tld' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Alternate hack

Modify http-server source locally to hard code for my specific use-case, replace access-control-allow-origin = '*' and hard code it to access-control-allow-origin = 'https://server1.tld so it works for me. then enable --cors, start http-server.

Additional context

I'm sure there are other use-cases for setting access-control-allow-origin to custom domains, but for the authentication issue with client SSL certs, it's a must have.

I am aware that solution #760 to issue #729 can potentially fix my problem, but automatically mirroring the origin server will allow any origin to pass credentials, which is not very safe. This fix should only be used for testing and not production.

[github-actions]

This issue has been inactive for 180 days

[matthias-ccri]

There is #729 which should resolve this issue by allowing http-server to mirror the Origin instead of responding with *. This should let you avoid hardcoding allowed origins.

Edit: whoops I forgot that you were already aware of #729. However this link is good to have here for posterity.