What should be the default CORS Access-Control-Allow-Origin - Policy for custom HTTP Endpoints?


i’m asking this because I stumbled about this in a handful of packages while upgrading to the Meteor 1.3 Beta.

The thing is, with cordova, the origin-Header will now differ in port depending on the application, as before it was fixed to meteor.local. Now it’ll instead be localhost on a port >= 12000 .

Working pseudocode for all custom request WebApp - Style handlers would be something like this:

if (req.headers && req.headers.origin) {
  res.setHeader('Access-Control-Allow-Origin', req.headers.origin);

My question now is though: Is it wise to allow / “bless” access from all origins?

It’s more or less just a protection of clients for themselves, to protect the end users anyway.

But on the other hand it’d eg. allow malicious third parties to include our “content” inside of eg. frames in other pages, right?

So… I think i’m gonna go ahead and answer my own question here, more or less…

If we’d filter req.headers.origin to either be localhost:12??? or meteor.local, and only in this case respond with the Access-Control-Allow-Origin - Header, that’d probably keep most phishing experiments from working out, right? In that case only something forging the origin to meteor.local or having the “victim” download a file and run it on a local server on a specific port range would be able to embed our response in a client respecting the CORS headers.

So, would that be the best solution? Any thoughts / apparent issues with that solution?

I think it’d be nice to have some example code or maybe a tiny little extension containing just the code to send the suitable CORS headers for custom HTTP endpoints as a “reference implementation”.

If I get some feedback that my aforementioned thoughts are about right, i’d volunteer to create such a small utility-extension or just a nice snippet to copy+paste.

It should look like this (pseudocode) in the end I think:

if (req.headers && (isLocalhostOrigin(req.headers.origin) || isMeteorLocalOrigin(req.headers.origin))) {
  res.setHeader('Access-Control-Allow-Origin', req.headers.origin);

Is that about right?

Please provide Feedback if you have any.


My first attempt at a good-enough general CORS header policy:

var cordovaClientOriginRegex = /^http:\/\/localhost:1[23]\d\d\d$/;
if (req.headers && req.headers.origin && (cordovaClientOriginRegex.test(req.headers.origin) || req.headers.origin === 'http://meteor.local')) {
  res.setHeader('Access-Control-Allow-Origin', req.headers.origin);

Does that look well enough as a start?