CORS validation for WEB Socket

Question

I'm using expressjs and added cors validation for a all origins.

const options = {


 origin: ['*'],
  credentials: true,
  exposedHeaders: false,
  preflightContinue: false,
  optionsSuccessStatus: 204,
  methods: ['GET', 'POST'],
  allowedHeaders: allowedHeaders,
};

module.exports = cors(options);

This is enabling one of the two CORS requests that I'm using however, One of which is a response from server and the other one is a socket.

I'm using angular observable to get the response like.

    const headers = {
      // Host: '',
    };
    return this.http.get(`${environment.BASE_URL}:${_port}`,
 { headers, observe: 'response' });
  }

The request that is not a socket sends a proper response. However, the one with the socket is sending me a different object.

But I'm also getting the right response from socket if I look into the network tab.

See screenshots below.

https://prnt.sc/qlq9up (CORS Invalid)

https://prnt.sc/qlqd88 (Response Header in network Tab)

This header is retrievable if I turn on the CORSe Extension on my Firefox Browser.

EDIT: I'm not using Socket.io but rather a Web Socket websocket = require('ws');

---

ANSWER : My issue was a logical error.

This wasn't exactly what solved my issue because I was using websocket and not socket.io however, this made me realize my problem, I was listening to websocket and https seperately and was able to fix this once I added the option to use cors in websocket

Answer 1

my example that is working, socket are to different server

// socket.js server config,for express

const app = express();
const server = app.listen(process.env.SOCKET_PORT, function () {
    console.log("Server started: http://localhost:" + process.env.SOCKET_PORT + "/");
});

app.use(function (req, res, next) {
    res.setHeader(
        "Access-Control-Allow-Headers",
        "X-Access-Token, Content-Type, Lang, crossDomain"
    );
    res.setHeader(
        "Access-Control-Allow-Methods",
        "POST, GET, OPTIONS, PUT, DELETE"
    );
    res.setHeader("Access-Control-Allow-Origin", "*");
    req.headers.host = req.headers["x-forwarded-host"];
    res.setHeader("Cache-Control", "no-cache");

    //intercepts OPTIONS method
    if ('OPTIONS' === req.method) {
        //respond with 200
        res.sendStatus(200);
    } else {
        //move on
        next();
    }
});

const io = require('socket.io')(server, {
    transports: [
        // 'polling',
        "websocket"
    ],
    allowUpgrades: true,
    adapter: redisAdapter({host: 'localhost', port: process.env.REDIS_PORT || '6379'}),
    pingInterval: 3000,
    wsEngine: 'ws'
})

also I have config inside nginx.conf

 location / {
// important line

        proxy_set_header 'Access-Control-Allow-Origin' '*';
        proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

  # redirect all traffic to local port;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect off;
        proxy_read_timeout 86400;

        # prevents 502 bad gateway error
        proxy_buffers 8 32k;
        proxy_buffer_size 64k;

        reset_timedout_connection on;


//your port here
        proxy_pass http://localhost:YOUR_PORT;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

Answer 2

adding cors:true to the options object worked for me

const options = {
origin: ['*'],
cors:true,
credentials: true,
exposedHeaders: false,
preflightContinue: false,
optionsSuccessStatus: 204,
methods: ['GET', 'POST'],
allowedHeaders: allowedHeaders,
};