Closed
Description
Command
serve
Is this a regression?
- Yes, this behavior used to work in the previous version
The previous version in which this bug was not present was
14.1
Description
Since version 14.2, proxied OPTIONS requests are missing Access-Control-Allow-* headers from the origin (and seem to add/replace Access-Control-Allow-Origin).
Before, up to version 14.1, having a proxy configured like so:
{
"/api": {
"target": "http://localhost:18080",
"changeOrigin": true,
"ws": true
}
}Worked fine when the browser was making an CORS preflight OPTIONS request.
Here's 3 requests, first directly to the origin, second using local dev-server with Angular CL v14.1 and third using v14.2.
Request to origin:
curl -v 'http://localhost:18080/api/log' \
-X 'OPTIONS' \
-H 'access-control-request-headers: content-type' \
-H 'access-control-request-method: POST' \
-H 'origin: http://localhost:4200'
< HTTP/1.1 200 OK
< Date: Mon, 05 Sep 2022 10:06:10 GMT
< Cache-Control: must-revalidate,no-cache,no-store
< Access-Control-Allow-Origin: http://localhost:4200
< Vary: Origin
< Access-Control-Allow-Credentials: true
< Access-Control-Max-Age: 60
< Access-Control-Allow-Methods: GET,POST,DELETE,PUT,HEAD,PATCH
< Access-Control-Allow-Headers: Accept,Accept-Language,Authorization,Content-Type,Origin,User-Agent,X-Requested-With
< Content-Type: text/plain
< Allow: POST,OPTIONS
< Content-Length: 13Same request, but proxied by dev-server in v14.1:
curl -v 'http://localhost:18080/api/log' \
-X 'OPTIONS' \
-H 'access-control-request-headers: content-type' \
-H 'access-control-request-method: POST' \
-H 'origin: http://localhost:4200'
< HTTP/1.1 200 OK
< X-Powered-By: Express
< access-control-allow-origin: http://localhost:4200
< connection: close
< date: Mon, 05 Sep 2022 10:38:12 GMT
< cache-control: must-revalidate,no-cache,no-store
< vary: Origin
< access-control-allow-credentials: true
< access-control-max-age: 60
< access-control-allow-methods: GET,POST,DELETE,PUT,HEAD,PATCH
< access-control-allow-headers: Accept,Accept-Language,Authorization,Content-Type,Origin,User-Agent,X-Requested-With
< content-type: text/plain
< allow: POST,OPTIONS
< content-length: 13Same request, but proxied by dev-server in v14.2:
curl -v 'http://localhost:18080/api/log' \
-X 'OPTIONS' \
-H 'access-control-request-headers: content-type' \
-H 'access-control-request-method: POST' \
-H 'origin: http://localhost:4200'
< HTTP/1.1 204 No Content
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Date: Mon, 05 Sep 2022 10:49:26 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5Also, only noticing now after writing this, I see that the response status code is also changed/overriden.
Minimal Reproduction
- Create a new app with
ng new ng-cli-cors-headers, cd into its directory. - Create a file
proxy.conf.jsonwith above contents (although using a different target that also responds to OPTIONS requests with specific Access-Control-Allow-* response headers) ng serve --proxy-config proxy.conf.json- issue above mentioned curl requests and observe the missing headers
Exception or Error
No response
Your Environment
Angular CLI: 14.2.1
Node: 18.7.0 (Unsupported)
Package Manager: npm 8.15.0
OS: darwin x64
Angular: 14.2.0
... animations, cdk, common, compiler, compiler-cli, core, forms
... language-service, localize, material, platform-browser
... platform-browser-dynamic, router
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1402.1
@angular-devkit/build-angular 14.2.1
@angular-devkit/core 14.2.1
@angular-devkit/schematics 14.2.1
@angular/cli 14.2.1
@schematics/angular 14.1.2
rxjs 7.5.6
typescript 4.7.4
webpack 5.74.0
Anything else relevant?
We also have http-proxy-middleware as a direct dependency installed, so also listing that here:
$ npm ls http-proxy-middleware
├─┬ @angular-devkit/build-angular@14.2.1
│ └─┬ webpack-dev-server@4.10.0
│ └── http-proxy-middleware@2.0.6 deduped
└── http-proxy-middleware@2.0.6