CORS Configuration returning null

[curtis-thompson]

Hello, I'm configuring the CORS settings on our GraphQL Mesh instance using these docs. I have a list of allowed origins which I am setting in the mesh yaml like the following:

...
serve:
  cors:
    origin:
      - https://allowed-origin-1.com
      - https://allowed-origin-2.com
    preflightContinue: false
    optionsSuccessStatus: 204
    credentials: false

When I send a request to my GraphQL Mesh instance from the allowed origins (https://allowed-origin-1.com or https://allowed-origin-2.com) I get the expected response, with the Access-Control-Allowed-Origin response header set to the host.

However, when I send a request to my GraphQL Mesh instance from a different (not allowed) origin, say https://not-allowed-origin the Access-Control-Allow-Origin header gets set to null. Is there something wrong with my configuration?

Many thanks in advance

[ardatan]

That's for the security. The server protects the information of the allowed origins so it cannot try to bypass preflight check.

[curtis-thompson]

Thanks for the reply. Even though the origin of the request is not in the allowed origin list, the browser does not block the request and the request completes successfully. Also, I think from looking at the documentation for Access-Control-Allowed-Origins response and it states that the null value shouldn't be used as it is a security risk?

The behaviour we are looking for is for the request to be blocked if it is from a unallowed origin. Could you provide a bit more guidance on how to configure this correctly using the CorsConfig in the mesh yaml?

Many thanks

[ardatan]

I don't think returning null is a security risk. If the request is not blocked in this case, this is a bug then we need a reproduction on an isolated environment in CodeSandbox or StackBlitz