Skip to content

Node fetch CORS documentation is lacking #4179

New issue
New issue
Closed
Closed
Node fetch CORS documentation is lacking#4179
Labels
DocsChanges related to the documentation
@HansFalkenberg-Visma

Description

@HansFalkenberg-Visma
HansFalkenberg-Visma
opened on Apr 23, 2025

Bug Description

Documentation does not list missing CORS checking as a deviance from the specification.

Reproducible By

  1. Read node's fetch documenation: https://nodejs.org/en/learn/getting-started/fetch
  2. Follow its link in "For information on Undici's specification compliance, see the Undici documentation."
  3. https://undici.nodejs.org/#/?id=specification-compliance-1
  4. Look for a subsection about CORS. It's not there.

Expected Behavior

Documentation guarantees that undici ignores CORS and does not make any preflight requests.

Additional context

The documentation does mention something about CORS at https://undici.nodejs.org/#/?id=undicifetchinput-init-promise

That is under a different section than node links to. It would be better if everything under Home > Common API Methods > undici.fetch > Specification Compliance was moved to Home > Specification Compliance

Even so, the guarantees in this other compliance section are not sufficient:

The Fetch Standard requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.

If I've understood the fetch standard right, it also requires doing preflight checks and having an origin match. Even if I've not understood and the fetch standard allows for omitting preflight/origin checks, the documentation should explicitly state that they will in fact be omitted.

The current implementation does appear to ignore any CORS mechanism right now. However...

#958 alleges that crossOriginResourcePolicyCheck, corsCheck and TAOCheck have been implemented, but all that's in the code are some scary TODO comments: https://github.com/nodejs/undici/blob/release/v6.21.2/lib/web/fetch/util.js#L220

If implemented, that would break existing code relying on these checks not being performed, as they likely should not be in a server environment. There are a couple of comments that agree with this in #540

Metadata

Metadata

Assignees

No one assigned

    Labels

    DocsChanges related to the documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions