Allow CORS for all origins

(fixes juice-shop#182)
oguzhalit · Sep 2, 2016 · 8717c2b · 8717c2b
1 parent 4f71bf3
commit 8717c2b
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/Gruntfile.js b/Gruntfile.js
@@ -92,6 +92,7 @@ module.exports = function (grunt) {
  'node_modules/serve-index/**',
  'node_modules/serve-favicon/**',
  'node_modules/body-parser/**',
+ 'node_modules/cors/**',
  'node_modules/sequelize-restful/**',
  'node_modules/morgan/**',
  'node_modules/sanitize-html/**',

diff --git a/package.json b/package.json
@@ -30,6 +30,7 @@
  "serve-index": "~1.8",
  "serve-favicon": "~2.3",
  "body-parser": "~1.15",
+ "cors": "~2.8",
  "sequelize-restful": "~0.4",
  "morgan": "~1.7",
  "sanitize-html": "1.4.2",

diff --git a/server.js b/server.js
@@ -14,6 +14,7 @@ var application_root = __dirname.replace(/\\/g, '/'),
  serveIndex = require('serve-index'),
  favicon = require('serve-favicon'),
  bodyParser = require('body-parser'),
+ cors = require('cors'),
  redirect = require('./routes/redirect'),
  angular = require('./routes/angular'),
  easterEgg = require('./routes/easterEgg'),
@@ -48,6 +49,9 @@ app.use(helmet.noSniff());
 app.use(helmet.frameguard());
 //app.use(helmet.xssFilter()); // = no protection from persisted XSS via RESTful API
 
+/* Bludgeon solution for possible CORS problems: Allow everything! */
+app.use(cors());
+
 /* Remove duplicate slashes from URL which allowed bypassing subsequent filters */
 app.use(function (req,res,next) { req.url = req.url.replace(/[/]+/g, '/'); next(); });