connectrpc · timostamm · Mar 13, 2023 · Mar 12, 2023 · Mar 13, 2023
diff --git a/packages/connect-node-test/src/helpers/testserver.ts b/packages/connect-node-test/src/helpers/testserver.ts
@@ -18,6 +18,7 @@ import * as https from "https";
 import * as fs from "fs";
 import * as path from "path";
 import type { Transport } from "@bufbuild/connect";
+import { cors } from "@bufbuild/connect";
 import {
   compressionGzip,
   connectNodeAdapter,
@@ -27,14 +28,14 @@ import {
 } from "@bufbuild/connect-node";
 import { fastifyConnectPlugin } from "@bufbuild/connect-fastify";
 import { expressConnectMiddleware } from "@bufbuild/connect-express";
-import testRoutes from "./test-routes.js";
 import {
   fastify,
   FastifyBaseLogger,
   FastifyInstance,
   FastifyTypeProviderDefault,
 } from "fastify";
 import { importExpress } from "./import-express.js";
+import testRoutes from "./test-routes.js";
 
 export function createTestServers() {
   // TODO http2 server with TLS and allow http1
@@ -180,34 +181,21 @@ export function createTestServers() {
       },
       start(port = 0) {
         return new Promise<void>((resolve) => {
-          const corsAllowHeaders = [
-            "Content-Type",
-            // gRPC-web
-            "X-User-Agent",
-            "X-Grpc-Web",
-            "Grpc-Timeout",
-            // Connect
-            "Connect-Protocol-Version",
-            "Connect-Timeout-Ms",
-            // used in tests
-            "X-Grpc-Test-Echo-Initial",
-            "X-Grpc-Test-Echo-Trailing-Bin",
-          ];
-          const corsExposeHeaders = [
-            // gRPC-web
-            "Grpc-Status",
-            "Grpc-Message",
-            // used in tests
-            "Grpc-Status-Details-Bin", // error details
-            "X-Grpc-Test-Echo-Initial",
-            "X-Grpc-Test-Echo-Trailing-Bin",
-            "Trailer-X-Grpc-Test-Echo-Trailing-Bin", // unary trailer in Connect
-          ];
           const corsHeaders = {
             "Access-Control-Allow-Origin": "*", // caution with this
-            "Access-Control-Allow-Methods": "OPTIONS, POST",
-            "Access-Control-Allow-Headers": corsAllowHeaders.join(", "),
-            "Access-Control-Expose-Headers": corsExposeHeaders.join(", "),
+            "Access-Control-Allow-Methods": cors.allowedMethods.join(","),
+            "Access-Control-Allow-Headers": [
+              ...cors.allowedHeaders,
+              // used in tests
+              "X-Grpc-Test-Echo-Initial",
+              "X-Grpc-Test-Echo-Trailing-Bin",
+            ].join(", "),
+            "Access-Control-Expose-Headers": [
+              ...cors.exposedHeaders,
+              "X-Grpc-Test-Echo-Initial",
+              "X-Grpc-Test-Echo-Trailing-Bin",
+              "Trailer-X-Grpc-Test-Echo-Trailing-Bin", // unary trailer in Connect
+            ],
             "Access-Control-Max-Age": 2 * 3600,
           };
           const serviceHandler = connectNodeAdapter({

diff --git a/packages/connect/src/cors.ts b/packages/connect/src/cors.ts
@@ -0,0 +1,83 @@
+// Copyright 2021-2023 Buf Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as connect from "./protocol-connect/headers.js";
+import * as grpc from "./protocol-grpc/headers.js";
+import * as grpcWeb from "./protocol-grpc-web/headers.js";
+
+/**
+ * CORS prevents rogue scripts in a web browser from making arbitrary requests
+ * to other web servers.
+ *
+ * This object provides helpful constants to configure CORS middleware for
+ * cross-domain requests with the protocols supported by Connect.
+ *
+ * Make sure to add application-specific headers that your application
+ * uses as well.
+ */
+export const cors = {
+  /**
+   * Request methods that scripts running in the browser are permitted to use.
+   *
+   * To support cross-domain requests with the protocols supported by Connect,
+   * these headers fields must be included in the preflight response header
+   * Access-Control-Allow-Methods.
+   */
+  allowedMethods: ["POST", "GET"] as ReadonlyArray<string>,
+
+  /**
+   * Header fields that scripts running in the browser are permitted to send.
+   *
+   * To support cross-domain requests with the protocols supported by Connect,
+   * these field names must be included in the preflight response header
+   * Access-Control-Allow-Headers.
+   *
+   * Make sure to include any application-specific headers your browser client
+   * may send.
+   */
+  allowedHeaders: [
+    connect.headerContentType,
+    connect.headerProtocolVersion,
+    connect.headerTimeout,
+    connect.headerStreamEncoding, // Unused in web browsers, but added for future-proofing
+    connect.headerStreamAcceptEncoding, // Unused in web browsers, but added for future-proofing
+    connect.headerUnaryEncoding, // Unused in web browsers, but added for future-proofing
+    connect.headerUnaryAcceptEncoding, // Unused in web browsers, but added for future-proofing
+    grpc.headerMessageType, // Unused in web browsers, but added for future-proofing
+    grpcWeb.headerXGrpcWeb,
+    grpcWeb.headerXUserAgent,
+    grpcWeb.headerTimeout,
+  ] as ReadonlyArray<string>,
+
+  /**
+   * Header fields that scripts running the browser are permitted to see.
+   *
+   * To support cross-domain requests with the protocols supported by Connect,
+   * these field names must be included in header Access-Control-Expose-Headers
+   * of the actual response.
+   *
+   * Make sure to include any application-specific headers your browser client
+   * should see. If your application uses trailers, they will be sent as header
+   * fields with a `Trailer-` prefix for Connect unary RPCs - make sure to
+   * expose them as well if you want them to be visible in all supported
+   * protocols.
+   */
+  exposedHeaders: [
+    grpcWeb.headerGrpcStatus, // Crucial for gRPC-web
+    grpcWeb.headerGrpcMessage, // Crucial for gRPC-web
+    grpcWeb.headerStatusDetailsBin, // Error details in gRCP, gRPC-web
+    connect.headerUnaryEncoding, // Unused in web browsers, but added for future-proofing
+    connect.headerStreamEncoding, // Unused in web browsers, but added for future-proofing
+  ] as ReadonlyArray<string>,
+};
diff --git a/packages/connect/src/index.ts b/packages/connect/src/index.ts
@@ -45,6 +45,7 @@ export type {
 
 export { createConnectRouter } from "./router.js";
 export type { ConnectRouter, ConnectRouterOptions } from "./router.js";
+export { cors } from "./cors.js";
 
 // TODO(TCN-1261)