sailsjs cors bad request still getting through to controller

Question

So my cors.js file looks like

module.exports.cors = {
  allRoutes: true,
  origin: require('./local.js').hosts, // this is 'http://localhost'
}

I then chose a random site to make a request from, in this case: http://tools.pingdom.com/fpt/

Here is my request and response from the page

$.post(' http://localhost:1337/gift/create ') Object {readyState: 1, getResponseHeader: function, getAllResponseHeaders: function, setRequestHeader: function, overrideMimeType: function…} jquery-2.1.1.min.js:4 POST http://localhost:1337/gift/create (index):1 XMLHttpRequest cannot load http://localhost:1337/gift/create . The 'Access-Control-Allow-Origin' header contains the invalid value ''. Origin ' http://tools.pingdom.com ' is therefore not allowed access.

However, I'm still getting errors in the console as the controller function still gets called.

sails> error: Sending 500 ("Server Error") response: 
TypeError: Cannot read property 'email' of undefined

I would think that cors should just end the connection if it fails.

Am I missing a setting?

This is a duplicate of this post CORS: preflight passes, main request completes w/200, but browser still has Origin error but it does not seem like it was resolved. Do we know why the post continues to go through?

Here is the response header

Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:
Connection:keep-alive
Content-Length:2
Content-Type:application/json; charset=utf-8
Date:Wed, 28 Jan 2015 15:56:51 GMT
Set-Cookie:sails.sid=s%3A5TJr82PCN-Tas2GrfKkhooEB.IWwc75iQUPRYoR7qWSep6xc%2BSLUkOV0IQe0w63GDYrQ; Path=/; HttpOnly
X-Powered-By:Sails <sailsjs.org>

There is not access-control-allow-origin set. I can make a policy for that, but is this is bug in Sails?

Answer 1

First things first: you should never be getting that 500 error, because you should be validating those fields in your controller code before using them!

As for the request still being processed despite your CORS settings: what you're seeing is the intended behavior, but I empathize with your confusion. Here's what you have to understand about CORS and POST requests:

POST requests don't trigger a preflight request from the browser as long as they use a common content type header like application/x-www-form-urlencoded .

The reason for this is that it has long been the case that regular old HTML forms are allowed to freely POST to a different origin. When you do a regular jQuery $.post , it uses that same content type, so the server can't distinguish it from a regular form POST and lets it through. The browser , upon receiving the empty Access-Control-Allow-Origin header, says "no way Jose" and refuses to show the response, but by that time the ship has sailed--that POST request has been processed.

If you don't want any requests from non-whitelisted origins to be processed by Sails, you can set the securityLevel in your CORS config to 1 (high) or 2 (very high):

module.exports.cors = {
  allRoutes: true,
  origin: require('./local.js').hosts, // this is 'http://localhost',
  securityLevel: 1
}

This will cause Sails to return a 403 response to any request from a disallowed domain. The difference between high and very high is that high will still allow cross-origin requests from different protocols (so your Postman requests will still work), whereas very high locks everything down tight.