fix: prevent CORS policy header leakage for rejected origins

jkyberneees · jkyberneees · commit 2e8f471ae8fc · 2026-02-07T20:52:17.000+01:00
Move CORS policy headers (Allow-Methods, Allow-Headers, Max-Age,
Allow-Credentials) inside the origin-allowed check so they are not
sent to disallowed origins during preflight responses.
diff --git a/lib/middleware/cors.js b/lib/middleware/cors.js
@@ -131,24 +131,24 @@ function createCORS(options = {}) {
         if (typeof origin === 'function' || Array.isArray(origin)) {
           response.headers.set('Vary', 'Origin')
         }
-      }
 
-      // Don't allow wildcard origin with credentials
-      if (credentials && allowedOrigin !== '*') {
-        response.headers.set('Access-Control-Allow-Credentials', 'true')
-      }
+        // Don't allow wildcard origin with credentials
+        if (credentials && allowedOrigin !== '*') {
+          response.headers.set('Access-Control-Allow-Credentials', 'true')
+        }
 
-      response.headers.set(
-        'Access-Control-Allow-Methods',
-        (Array.isArray(methods) ? methods : [methods]).join(', '),
-      )
+        response.headers.set(
+          'Access-Control-Allow-Methods',
+          (Array.isArray(methods) ? methods : [methods]).join(', '),
+        )
 
-      response.headers.set(
-        'Access-Control-Allow-Headers',
-        allowedHeadersList.join(', '),
-      )
+        response.headers.set(
+          'Access-Control-Allow-Headers',
+          allowedHeadersList.join(', '),
+        )
 
-      response.headers.set('Access-Control-Max-Age', maxAge.toString())
+        response.headers.set('Access-Control-Max-Age', maxAge.toString())
+      }
 
       if (preflightContinue) {
         const result = next()
diff --git a/test/unit/cors.test.js b/test/unit/cors.test.js
@@ -683,12 +683,48 @@ describe('CORS Middleware', () => {
 
       const middleware = cors({
         origin: false, // Explicitly set to false
+        credentials: true,
+      })
+
+      const response = await middleware(req, next)
+
+      expect(response.status).toBe(204)
+      expect(response.headers.get('Access-Control-Allow-Origin')).toBeNull()
+      // Should not leak CORS policy headers to disallowed origins
+      expect(response.headers.get('Access-Control-Allow-Methods')).toBeNull()
+      expect(response.headers.get('Access-Control-Allow-Headers')).toBeNull()
+      expect(response.headers.get('Access-Control-Max-Age')).toBeNull()
+      expect(
+        response.headers.get('Access-Control-Allow-Credentials'),
+      ).toBeNull()
+      expect(next).not.toHaveBeenCalled()
+    })
+
+    it('should not leak CORS headers in preflight for rejected origins', async () => {
+      req = createTestRequest('OPTIONS', '/api/test')
+      req.headers = new Headers({
+        Origin: 'https://evil.com',
+        'Access-Control-Request-Method': 'POST',
+      })
+
+      const middleware = cors({
+        origin: ['https://trusted.com'],
+        credentials: true,
+        maxAge: 3600,
+        methods: ['GET', 'POST'],
+        allowedHeaders: ['Content-Type', 'Authorization'],
       })
 
       const response = await middleware(req, next)
 
       expect(response.status).toBe(204)
       expect(response.headers.get('Access-Control-Allow-Origin')).toBeNull()
+      expect(response.headers.get('Access-Control-Allow-Methods')).toBeNull()
+      expect(response.headers.get('Access-Control-Allow-Headers')).toBeNull()
+      expect(response.headers.get('Access-Control-Max-Age')).toBeNull()
+      expect(
+        response.headers.get('Access-Control-Allow-Credentials'),
+      ).toBeNull()
       expect(next).not.toHaveBeenCalled()
     })
 
