http-party · YoannGalentin · Mar 13, 2020
diff --git a/bin/http-server b/bin/http-server
@@ -139,6 +139,10 @@ function listen(port) {
     if (typeof argv.cors === 'string') {
       options.corsHeaders = argv.cors;
     }
+
+    if (typeof argv.corsOrigin === 'string') {
+      options.corsOrigin = argv.corsOrigin;
+    }
   }
 
   if (ssl) {

diff --git a/lib/http-server.js b/lib/http-server.js
@@ -122,15 +122,25 @@ function HttpServer(options) {
   }
 
   if (options.cors) {
-    this.headers['Access-Control-Allow-Origin'] = '*';
+    this.headers['Access-Control-Allow-Origin'] = options.corsOrigin ? options.corsOrigin : '*';
     this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';
     if (options.corsHeaders) {
       options.corsHeaders.split(/\s*,\s*/)
           .forEach(function (h) { this.headers['Access-Control-Allow-Headers'] += ', ' + h; }, this);
     }
-    before.push(corser.create(options.corsHeaders ? {
-      requestHeaders: this.headers['Access-Control-Allow-Headers'].split(/\s*,\s*/)
-    } : null));
+
+    var corserOptions = {};
+
+    if (options.corsOrigin) {
+      corserOptions.origins = [options.corsOrigin];
+      corserOptions.supportsCredentials = true;
+    }
+
+    if (options.corsHeaders) {
+      corserOptions.requestHeaders = this.headers['Access-Control-Allow-Headers'].split(/\s*,\s*/);
+    }
+
+    before.push(corser.create(corserOptions));
   }
 
   if (options.robots) {

diff --git a/test/http-server-test.js b/test/http-server-test.js
@@ -139,7 +139,8 @@ vows.describe('http-server').addBatch({
       var server = httpServer.createServer({
         root: root,
         cors: true,
-        corsHeaders: 'X-Test'
+        corsHeaders: 'X-Test',
+        corsOrigin: 'http://example.com'
       });
       server.listen(8082);
       this.callback(null, server);
@@ -161,6 +162,9 @@ vows.describe('http-server').addBatch({
       },
       'response Access-Control-Allow-Headers should contain X-Test': function (err, res) {
         assert.ok(res.headers['access-control-allow-headers'].split(/\s*,\s*/g).indexOf('X-Test') >= 0, 204);
+      },
+      'response Access-Control-Allow-Origin should equal http://example.com': function (err, res) {
+        assert.equal(res.headers['access-control-allow-origin'], 'http://example.com');
       }
     },
     teardown: function (server) {