14

How it is possible to add Access-Control-Allow-Origin: * header to all responses (in particular, I am interested for static files under /public/) in Meteor? I would need this so that external web apps can access data provides by my Meteor app. More information about enabling CORS is here.

Mitar
  • 6,756
  • 5
  • 54
  • 86
  • 2
    I think it's impossible in the current state of the Meteor core. We definitly needs a ways to customize `HTTP` headers. – mquandalle Apr 11 '13 at 22:57
  • Is there even not a hackish way? If I would want to use a fork of Meteor, what should I change for this? – Mitar Apr 12 '13 at 02:17
  • 1
    I would suggest Thomas' answer is the correct one, now. Clean way to access connect middleware without third party package / hack. – Wes Johnson Jan 14 '14 at 05:23

2 Answers2

21

Here is a little snippet I wrote. You can use as an example in how to access meteor's core connect and modify headers, also a pretty good drop-in for every meteor project: 

/**
 * HTTP Header Security
 *
 * enforce HTTP Strict Transport Security (HSTS) to prevent ManInTheMiddle-attacks
 * on supported browsers (all but IE)
 * > http://www.html5rocks.com/en/tutorials/security/transport-layer-security
 *
 * @header Strict-Transport-Security: max-age=2592000; includeSubDomains
 */

var connectHandler = WebApp.connectHandlers; // get meteor-core's connect-implementation

// attach connect-style middleware for response header injection
Meteor.startup(function () {
  connectHandler.use(function (req, res, next) {
    res.setHeader('Strict-Transport-Security', 'max-age=2592000; includeSubDomains'); // 2592000s / 30 days
    return next();
  })
})
Dan Dascalescu
  • 143,271
  • 52
  • 317
  • 404
Thomas
  • 446
  • 4
  • 10
8

There are two ways to go about this. One is to modify the meteor code and add it in (so that every file will be have this header). This might not be a great idea because you dont want every single file to have this. But if you do alter up do it with hooking into app

var app = __meteor_bootstrap__.app;
app.use(function(req,res) {
    res.setHeader('access-control-allow-origin', '*');
});

The other is to use a custom route with something like meteor router. This way you can control what files you want to have the headers in so its probably best to use something like this

Server side js:

Meteor.Router.add('/yourfile.txt', function() {
    this.response.setHeader('access-control-allow-origin', '*');

    var fs = Npm.require("fs");
    return fs.readFileSync("/public/yourfile.txt", "utf8");

});
Tarang
  • 75,157
  • 39
  • 215
  • 276
  • Akshat, could readFileSync have been used in this case to cut down on code? – matb33 Apr 13 '13 at 14:32
  • @akshat point of clarification... are you talking about making an edit in the meteor core? somewhere around: https://github.com/meteor/meteor/blob/master/tools/server/server.js#L297 ? – zeroasterisk May 28 '13 at 05:05
  • this can be used in your projects code as long as it runs on the server – Tarang May 28 '13 at 07:55
  • 1
    I have tried to make the `app = __meteor_bootstrap__.app;` method work on `server/app.js` (a new file created for this purpose), but I have not been able to get it working. I'm on `0.6.3`. Any chance you have an example out somewhere? – zeroasterisk May 29 '13 at 17:38
  • 1
    `__meteor_bootstrap__.app` has been renamed, and I think the new form to use is `WebApp.connectHandlers`, but you also need to add the WebApp package (with `meteor add webapp`). – StephenD Sep 23 '13 at 11:44