Skip to content

CORS defaults not actually used #1160

New issue
New issue
Open
#1161
Open
CORS defaults not actually used#1160
#1161
Labels
bugSomething isn't working
@IlyaSemenov

Description

@IlyaSemenov
IlyaSemenov
opened on Jul 15, 2025

Environment

h3 1.15.3 but the bug is still in the main branch

Reproduction

I don't think the repro is needed as the bug is obvious by looking at the code. Let me know if you absolutely require it.

Describe the bug

h3 cors module has some default options:

h3/src/utils/internal/cors.ts

Lines 22 to 32 in 459093d

const defaultOptions: ResolvedCorsOptions = {
origin: "*",
methods: "*",
allowHeaders: "*",
exposeHeaders: "*",
credentials: false,
maxAge: false,
preflight: {
statusCode: 204,
},
};

However they are not actually used when generating CORS headers (only what the user explicitly passes is used):

h3/src/utils/cors.ts

Lines 151 to 153 in 459093d

const _options = resolveCorsOptions(options);
if (isPreflightRequest(event)) {
appendCorsPreflightHeaders(event, options);

As the result, preflight response doesn't include access-control-allow-methods: * despite it being the default value.

Additional context

No response

Logs

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions