Access-Control-Allow-Origin

General
1

I have added below code in RED.js to enables header for Node-RED. But Access-Control-Allow-Origin header is not coming as http://google.com/ . its coming as *.
Other headers are reflecting in node-red.

app.use(function(req, res, next) {
  res.setHeader("Access-Control-Allow-Origin", "http://google.com/");
  res.setHeader('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
  res.setHeader("Content-Security-Policy","frame-ancestors 'none'");        
  res.setHeader("X-Frame-Options", "DENY");
  res.setHeader("X-XSS-Protection", "1; mode=block")
  res.setHeader("Strict-Transport-Security", "max-age=31536000")
  next();
});

I want to implement this in node-red level.

Can you tell me how can whitelist some domain in node-red?
Can I put node-red headers from settings.js as well?

2

You seem to be amending the core of Node-RED to make it possible to access Node-RED endpoints from an unsecured google location.

This strikes me as unwise on several levels.

Firstly that I doubt that Nick will want this in the core code. Certainly I wouldn't be happy to see it. Additionally, I'm not sure that it is even necessary to put it there but we don't have enough information about what you are trying to do to be able to help.

Secondly, the purpose of those headers is to enable secure connections between domains and so trying to include a non-TLS connected domain is probably not wise. If I remember correctly, I'm not even sure that you can do anything other than "*" for a non-TLS connection.

Not unless you can explain more about what you are trying to achieve and why you can't do it at the flow level rather than having to hack the core.

3

I want to Configure CORS in Node-RED.

4
1 Like
5

@knolleary Any suggestions on this?

6

What exactly are you trying to enable CORS on? The editor as a whole or your HTTP In nodes?

7

I am trying to enable for editor as whole. Actually I want to disable all communication except mydomain.com from node-red.
Basically I am trying to whitelist only my domain (One or More)

app.use(function(req, res, next) {
  res.setHeader("Access-Control-Allow-Origin", "https://mydomain.com/");
  res.setHeader('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
  res.setHeader("Content-Security-Policy","frame-ancestors 'none'");        
  res.setHeader("X-Frame-Options", "DENY");
  res.setHeader("X-XSS-Protection", "1; mode=block")
  res.setHeader("Strict-Transport-Security", "max-age=31536000")
  next();
});

I have put above code in red.js, but I am not getting first header "Access-Control-Allow-Origin" to "https://mydomain.com/". Its coming as *.

8

You shouldn't need to edit red.js - we added httpAdminMiddleware in the last release which would allow you to do this via your settings file.

Regardless, it looks like something is overwriting the header somewhere else in the stack. You'd need to trace it through to see what's doing that

9

Okay Thanks

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.