CORS applied with WebApp.connectHandlers not working as expected

aneesh007 · November 2, 2023, 11:44am

I need to apply CORS policy permits only on a specific domain.
What is the correct way to add CORS in Meteor?
Version: Meteor 2.5.3

paulishca · November 2, 2023, 1:40pm

Hi @aneesh007 we are good, thank you. How are you? My day is really good I hope yours is also fine.

How did you apply CORS and how did you expect it to work and how did it actually work if not as expected.

aneesh007 · November 3, 2023, 7:03am

@paulishca
Thank you for your response.
We have done a penetration test and it shows a serious vulnerability in CORS
(Cross-Origin Resource Sharing (CORS) policy permits any origin (Cookies Permitted))
So we need to make it more secure by allowing CORS only to pre-defined domains.
can you please suggest a good mechanism to implement CORS in the meteor project?

Tried sample:
WebApp.rawConnectHandlers.use((req, res, next) => {
const allowedOrigins = [
‘https://example.com’,
‘https://anotherdomain.com’,
];
const origin = req.headers.origin;

if (allowedOrigins.includes(origin)) {
  res.setHeader('Access-Control-Allow-Origin', origin);
}
next();

});

aneesh007 · November 3, 2023, 10:24am

@paulishca

github.com/meteor/meteor

Meteor apps have insecure CORS configuration on /sockjs/info path by default

opened 02:45AM - 06 Feb 17 UTC

closed 12:01PM - 24 Apr 17 UTC

craigdrayton

I recently conducted a vulnerability scan of my Meteor app. The scan reported an… insecure CORS configuration, where the '<app domain>/sockjs/info' path returns insecure header "Access-Control-Allow-Origin: *". See this related issue in SockJS: https://github.com/sockjs/sockjs-node/issues/217 Is there a workaround for resolving this vulnerability in Meteor or my application code / configuration? Even if the vulnerability is not a true security risk, it is important that I can get a clean bill of health from the vulnerability scan.