Connection from client refused with CORS enabled

[maki3000]

My connection from client to server is forbidden with CORS enabled on server.

The returned message is:
{"code":4,"message":"Forbidden"}

I checked following two issues, but didn't find the answer:

• Websocket Connection failed while using transport as websocket. #4239
• Handshake returns 403 Forbidden when Referrer not set/sent #3306

Here the server:

const app = express();
const httpServer = createServer(app);
const io = new Server(httpServer, {
    cors: {
        origin: ["https://onradr.local"],
        methods: ["GET", "POST"],
        allowedHeaders: [
            "Access-Control-Allow-Origin", 
            "Access-Control-Allow-Methods",
            'Access-Control-Allow-Credentials'
        ],        
        credentials: true,
    },
    // when I uncomment the allowRequest part, the connection works
    allowRequest: (req, callback) => {
        const noOriginHeader = req.headers.origin === undefined;
        callback(null, noOriginHeader);
    }
})

Here's the client:

const socket = io("https://wss.onradr.local", {
        withCredentials: true,
        extraHeaders: {
            'Access-Control-Allow-Origin': "https://onradr.local",
            'Access-Control-Allow-Methods': 'GET, POST',
            'Access-Control-Allow-Credentials': true,
        },
        transports: ['polling', 'websocket'],
    })

When I uncomment the allowRequest part on the server, the connection works.

Also, with following curl command, I get a perfect 200 OK, followed by a 403 Forbidden:
curl -H "origin: onradr.local" "Accept:" https://onradr.local "https://wss.onradr.local/socket.io/?EIO=4&transport=polling" -v -k

Here's a part of the output:

Rebuilt URL to: Accept:/
* Hostname was NOT found in DNS cache
* getaddrinfo(3) failed for Accept:80
* Couldn't resolve host 'Accept'
* Closing connection 0
curl: (6) Couldn't resolve host 'Accept'
* Rebuilt URL to: https://onradr.local/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to onradr.local (127.0.0.1) port 443 (#1)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
* 	 subject: C=CH; ST=Zurich; L=Zurich; O=onRadr; [email protected]; CN=localhost
* 	 start date: 2021-03-18 13:44:50 GMT
* 	 expire date: 2028-01-21 13:44:50 GMT
* 	 issuer: C=ch; ST=Zurich; L=Zurich; O=Yo; OU=frontend; [email protected]
* 	 SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: onradr.local
> Accept: */*
> origin: onradr.local
> 
< HTTP/1.1 200 OK
* Server nginx/1.21.6 is not blacklisted
< Server: nginx/1.21.6
< Date: Wed, 22 Jun 2022 11:25:29 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 14606
< Connection: keep-alive
< Access-Control-Allow-Origin: onradr.local
< Access-Control-Allow-Methods: OPTIONS, GET
< Cache-Control: no-store, must-revalidate
< X-Powered-By: Next.js
< ETag: "390e-LjqrHw7G8If+p0X9eyLBp6jfXFk"
< Vary: Accept-Encoding
< 
<html>
(Here comes our HTML)
...
</html>
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to wss.onradr.local (127.0.0.1) port 443 (#2)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
* 	 subject: C=CH; ST=Zurich; L=Zurich; O=onRadr; [email protected]; CN=localhost
* 	 start date: 2021-03-18 13:44:50 GMT
* 	 expire date: 2028-01-21 13:44:50 GMT
* 	 issuer: C=ch; ST=Zurich; L=Zurich; O=Yo; OU=frontend; [email protected]
* 	 SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /socket.io/?EIO=4&transport=polling HTTP/1.1
> User-Agent: curl/7.38.0
> Host: wss.onradr.local
> Accept: */*
> origin: onradr.local
> 
< HTTP/1.1 403 Forbidden
* Server nginx/1.21.6 is not blacklisted
< Server: nginx/1.21.6
< Date: Wed, 22 Jun 2022 11:25:29 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Vary: Origin
< Access-Control-Allow-Credentials: true
< 
* Connection #2 to host wss.onradr.local left intact
{"code":4,"message":"Forbidden"}

As you can see my local SSL certificate is not valid. Could that be an issue?

I'm using "socket.io": "^4.5.1" on express server and "socket.io-client": "^4.5.1" on client.
We have a docker setting with express on server and nextJS on frontend.

[darrachequesne]

Hi! The allowRequest function above only allows requests without origin header, which should explain the issue:

$ curl -H "origin: https://onradr.local" "http://localhost:3000/socket.io/?EIO=4&transport=polling"
{"code":4,"message":"Forbidden"}

$ curl "http://localhost:3000/socket.io/?EIO=4&transport=polling"
0{"sid":"NY98xtObBiZ2uaQWAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":20000,"maxPayload":1000000}

Could you please explain your use case?

Also, I think the extraHeaders on the client side are not necessary (the browser takes care of the preflight requests).

[maki3000]

Sorry! I don't get it.

The documentation says:

You can disallow all cross-origin requests with the allowRequest option:

const io = new Server(httpServer, {
  allowRequest: (req, callback) => {
    const noOriginHeader = req.headers.origin === undefined;
    callback(null, noOriginHeader);
  }
});

And this is what I actually want. I want to disallow request from other resources than https://onradr.local. Doesn't a request to a server with:

"Access-Control-Allow-Origin": "https://onradr.local"

...need an origin header?

I'm sorry, I'm confused 🤷‍♂️

[darrachequesne]

Oh, I get it, the documentation could indeed be clearer 👍

In the example below:

const io = new Server(httpServer, {
  allowRequest: (req, callback) => {
    const noOriginHeader = req.headers.origin === undefined;
    callback(null, noOriginHeader);
  }
});

This means that only the requests without origin header (same origin requests) will be allowed.

If I understand your use case, the cors configuration should be sufficient:

const app = express();
const httpServer = createServer(app);
const io = new Server(httpServer, {
    cors: {
        origin: ["https://onradr.local"],  
        credentials: true,
    }
})

Any request from a domain that is not https://onradr.local will result in an error: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at...

[maki3000]

Yes! Thanks for your help. It is working now 😀