Edit Page

Cross-Origin Resource Sharing (CORS)

CORS is a mechanism that allows browser scripts on pages served from other domains (e.g. myothersite.com) to talk to your server (e.g. api.mysite.com). Like JSONP, the goal of CORS is to circumvent the same-origin policy, allowing your Sails server to successfully respond to requests from client-side JavaScript code running on a page hosted from some other domain. Unlike JSONP, it works with more than just GET requests, and it allows you to whitelist particular origins (staging.yoursite.com or yourothersite.net) and prevent requests from others (evil.com).

Sails can be configured to allow cross-origin requests from a list of domains you specify, or from every domain. This can be done on a per-route basis, or globally for every route in your app.

Enabling CORS

#

For security reasons, CORS is disabled by default in Sails. But enabling it is simple.

To allow cross-origin requests from a whitelist of trusted domains to any route in your app, simply enable allRoutes and provide an origin setting in config/security.js:

cors: {
  allRoutes: true,
  allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888']
}

To allow cross-origin requests from any domain to any route in your app, use allowOrigins: '*':

cors: {
  allRoutes: true,
  allowOrigins: '*',
  allowCredentials: false
}

Note that when using allowOrigins: '*', the allowCredentials setting must be false, which means that requests containing cookies will be blocked. This restriction exists to prevent third-party sites from being able to trick your logged-in users into making unauthorized requests to your app. You can lift this restriction (at your own risk!) using the allowAnyOriginWithCredentialsUnsafe setting.

See sails.config.security.cors for a comprehensive reference of all available options.

Configuring CORS for individual routes

#

In addition to the global CORS configuration in config/security.js, these settings can be configured on a per-route basis in config/routes.js.

If you set allRoutes: true in config/security.js but want to exempt a specific route, set cors: false in the route's target:

'POST /signup': {
   action: 'user/signup',
   cors: false
}

To enable or override global CORS configuration for a particular route, provide cors as a dictionary:

'GET /videos': {
   action: 'video/find',
   cors: {
     allowOrigins: ['http://example.com','https://api.example.com','http://blog.example.com:1337','https://foo.com:8888'],
     allowCredentials: false
   }
}

Notes

#
  • CORS support is only relevant for HTTP requests. Requests made via sockets are not subject to cross-origin restrictions. To ensure that your app is secure via sockets, configure the onlyAllowOrigins setting (typically in config/env/production.js).
  • CORS is not supported in Internet Explorer 7. Fortunately, it is supported in IE8 and up, as well as in all other modern browsers.
  • Read more about CORS from MDN.
  • Read the CORS spec.

Is something missing?

If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the sails repo. Once we merge it, the changes will be reflected on the website the next time it is deployed.

Concepts