diff --git a/packages/server-admin-ui/src/views/security/Settings.js b/packages/server-admin-ui/src/views/security/Settings.js
index cae4b3c92..1d4ca7bf4 100644
--- a/packages/server-admin-ui/src/views/security/Settings.js
+++ b/packages/server-admin-ui/src/views/security/Settings.js
@@ -210,13 +210,14 @@ class Settings extends Component {
{' '}
@@ -232,7 +233,8 @@ class Settings extends Component {
value={this.state.allowedCorsOrigins}
/>
- Use comma delimited list, example:
+ Use either * or a comma delimited list of origins,
+ example:
http://host1.name.com:3000,http://host2.name.com:3000
diff --git a/src/cors.ts b/src/cors.ts
index 8d8e3859f..2ca5deba4 100644
--- a/src/cors.ts
+++ b/src/cors.ts
@@ -9,15 +9,29 @@ export function setupCors(
) {
const corsDebug = createDebug('signalk-server:cors')
+ const corsOptions: CorsOptions = {
+ credentials: true
+ }
+
const corsOrigins = allowedCorsOrigins
? allowedCorsOrigins
.split(',')
.map((s: string) => s.trim().replace(/\/*$/, ''))
: []
- corsDebug(`corsOrigins:${corsOrigins.toString()}`)
- const corsOptions: CorsOptions = {
- credentials: true,
- origin: corsOrigins
+
+ // default wildcard cors configuration does not work
+ // with credentials:include client requests, so add
+ // our own wildcard rule that will match all origins
+ // but respond with that origin, not the default *
+ if (allowedCorsOrigins?.startsWith('*')) {
+ corsOptions.origin = (origin: string | undefined, cb) => cb(null, origin)
+ corsDebug('Allowing all origins')
+ } else if (corsOrigins.length > 0) {
+ // set origin only if corsOrigins are set so that
+ // we get the default cors module functionality
+ // for simple requests by default
+ corsOptions.origin = corsOrigins
+ corsDebug(`corsOrigins:${corsOrigins.toString()}`)
}
app.use(cors(corsOptions))
@@ -44,7 +58,11 @@ export const handleAdminUICORSOrigin = (
securityConfig.allowedCorsOrigins.length > 0
) {
allowedCorsOrigins = securityConfig.allowedCorsOrigins?.split(',')
- if (allowedCorsOrigins.indexOf(securityConfig.adminUIOrigin) === -1) {
+ const adminUIOriginUrl = new URL(securityConfig.adminUIOrigin)
+ if (
+ allowedCorsOrigins.indexOf(securityConfig.adminUIOrigin) === -1 &&
+ adminUIOriginUrl.hostname !== 'localhost'
+ ) {
allowedCorsOrigins.push(securityConfig.adminUIOrigin)
}
}