feat: add CORS-aware ETag modes and configurable query parser options #6908
+716
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for including response headers in ETag calculation to prevent
cache conflicts when serving content to multiple origins through CDNs.
This addresses an issue where CDNs return 304 Not Modified responses that
omit CORS headers, causing browsers to apply cached CORS headers from a
different origin, resulting in CORS errors.
New ETag modes:
- 'weak-cors': Weak ETag including Access-Control-Allow-Origin header
- 'strong-cors': Strong ETag including Access-Control-Allow-Origin header
The implementation:
- Extends createETagGenerator to accept includeHeaders option
- Updates res.send() to pass response headers to ETag function
- Maintains full backward compatibility with existing ETag modes
- Falls back to body-only hashing when CORS headers are not present
Usage:
app.set('etag', 'weak-cors');
app.use(function(req, res) {
res.set('Access-Control-Allow-Origin', req.get('Origin'));
res.send('content');
});
Test coverage:
- 13 new unit tests in test/utils.js
- 10 new integration tests in test/res.send.cors.js
- All existing tests pass (1269 total)
Fixes expressjs#5986
Add ability to configure qs library options when using the extended
query parser, addressing silent parameter truncation and providing
better security controls.
Previously, the extended query parser used hardcoded qs defaults with
no way to customize behavior. This caused issues when query strings
exceeded the default 1000 parameter limit, resulting in silent data
loss. Additionally, the default allowPrototypes: true setting poses
a prototype pollution security risk.
New API:
app.set('query parser', 'extended');
app.set('query parser options', {
parameterLimit: 5000, // Increase from default 1000
arrayLimit: 50, // Increase from default 20
depth: 10, // Increase from default 5
allowPrototypes: false // Prevent prototype pollution
});
Changes:
- compileQueryParser now accepts optional qsOptions parameter
- createExtendedQueryParser factory function replaces parseExtendedQueryString
- app.set('query parser options') triggers parser recompilation
- Explicit defaults documented: parameterLimit=1000, arrayLimit=20, depth=5
Backward compatibility:
- Default behavior unchanged (same qs defaults apply)
- Works without setting options
- Options can be set before or after parser mode
- Does not affect 'simple' parser mode
Security note:
The default allowPrototypes: true is maintained for backward compatibility
but developers are encouraged to set allowPrototypes: false to prevent
prototype pollution attacks.
Test coverage:
- 11 new tests in test/req.query.options.js
- Tests cover limits, security, and backward compatibility
- All existing tests pass (1269 total)
Fixes expressjs#5878
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces two independent enhancements to Express.js that address long-standing issues with CDN caching and query string handling.
Changes Included
1. CORS-Aware ETag Generation (Fixes #5986)
Adds new ETag modes that include response headers in ETag calculation to prevent cache conflicts when serving content to multiple origins through CDNs.
New ETag modes:
'weak-cors': Weak ETag including Access-Control-Allow-Origin header'strong-cors': Strong ETag including Access-Control-Allow-Origin headerProblem solved: CDNs returning 304 Not Modified responses that omit CORS headers, causing browsers to apply cached CORS headers from different origins, resulting in CORS errors.
Usage:
`app.set('etag', 'weak-cors');
app.use(function(req, res) {
res.set('Access-Control-Allow-Origin', req.get('Origin'));
res.send('content');
});`
Implementation:
createETagGeneratorto acceptincludeHeadersoptionres.send()to pass response headers to ETag function2. Configurable Query Parser Options (Fixes #5878)
Adds ability to configure
qslibrary options when using the extended query parser, addressing silent parameter truncation and providing better security controls.New API:
app.set('query parser', 'extended'); app.set('query parser options', { parameterLimit: 5000, // Increase from default 1000 arrayLimit: 50, // Increase from default 20 depth: 10, // Increase from default 5 allowPrototypes: false // Prevent prototype pollution });Problem solved: Query strings exceeding the default 1000 parameter limit resulted in silent data loss. The default
allowPrototypes: truesetting poses a prototype pollution security risk.Implementation:
compileQueryParsernow accepts optionalqsOptionsparametercreateExtendedQueryParserfactory function replacesparseExtendedQueryStringapp.set('query parser options')triggers parser recompilationBackward Compatibility
Both features maintain full backward compatibility:
Test Coverage
test/utils.js+ 10 integration tests intest/res.send.cors.jstest/req.query.options.jsSecurity Considerations
The query parser feature helps prevent prototype pollution attacks by allowing developers to set
allowPrototypes: false. The default remainstruefor backward compatibility, but documentation encourages the secure option.