I've been implementing CORS in a lil app I have using node-restify to test it out and it turns out that in the browser, the behaviour is as expected, this means, in a different origin with CORS disabled, it doesn't work, if CORS is enabled, it works.
However, the tricky part is that with CURL, it always works! I've been following this question: How can you debug a CORS request with cURL?
I'm doing this:
curl -H 'Origin: http://example.com' http://cors.somewhere.com
And using the node-restify example to debug
var restify = require('restify');
var srv = restify.createServer();
//srv.use(restify.CORS()); // I enable and disable by uncomment line
function foo(req, res, next) {
res.send("bananas");
next();
}
srv.put('/foo', foo);
srv.get('/foo', foo);
srv.del('/foo', foo);
srv.post('/foo', foo);
srv.listen(process.env.PORT || 8080);
What am I missing?
Thank you!
It sounds like you are asking if there's a way to prevent curl from making a request at all. This is impossible. curl can always make a request to the server, with or without CORS.
However, curl can also be used to mimic a browser and verify how your server will react to CORS requests. By using the --verbose
flag on curl requests, you can see the HTTP request and response headers, and verify that the CORS headers are working as expected. That is what this question covers: How can you debug a CORS request with cURL?
If CORS is enabled, you should see an Access-Control-Allow-Origin
header in the response. If CORS is disabled, you should not see any Access-Control-*
headers in the response.