← 返回 Skills 市场
ivangdavila

CORS

作者 Iván · GitHub ↗ · v1.0.0
linuxdarwinwin32 ✓ 安全检测通过
818
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install cors
功能描述
Configure Cross-Origin Resource Sharing correctly to avoid security issues and debugging pain.
使用说明 (SKILL.md)

Preflight Triggers

  • Any header except: Accept, Accept-Language, Content-Language, Content-Type (with restrictions)
  • Content-Type other than: application/x-www-form-urlencoded, multipart/form-data, text/plain
  • Methods: PUT, DELETE, PATCH, or any custom method
  • ReadableStream in request body
  • Event listeners on XMLHttpRequest.upload
  • One trigger = preflight; simple requests skip OPTIONS entirely

Credentials Mode

  • Access-Control-Allow-Origin: * incompatible with credentials—must specify exact origin
  • Access-Control-Allow-Credentials: true required for cookies/auth headers
  • Fetch: credentials: 'include'; XHR: withCredentials = true
  • Without credentials mode, cookies not sent even to same origin for cross-origin requests

Wildcard Limitations

  • * doesn't match subdomains—*.example.com is invalid, not a pattern
  • Can't use * with credentials—specify origin dynamically from request
  • Access-Control-Allow-Headers: * works in most browsers but not all—list explicitly for compatibility
  • Access-Control-Expose-Headers: * same issue—list headers you need to expose

Origin Validation

  • Check Origin header against allowlist—don't reflect blindly (security risk)
  • Regex matching pitfall: example.com matches evilexample.com—anchor the pattern
  • null origin: sandboxed iframes, file:// URLs—usually reject, never allow as trusted
  • Missing Origin header: same-origin or non-browser client—handle explicitly

Vary Header (Critical)

  • Always include Vary: Origin when response depends on origin—even if you allow only one
  • Without Vary: CDN/proxy caches response for one origin, serves to others—breaks CORS
  • Add Vary: Access-Control-Request-Headers, Access-Control-Request-Method for preflight caching correctness

Exposed Headers

  • By default, JS can only read: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
  • Custom headers invisible to JS unless listed in Access-Control-Expose-Headers
  • X-Request-ID, X-RateLimit-*, etc. need explicit exposure—common oversight

Preflight Caching

  • Access-Control-Max-Age: 86400 caches preflight for 24h—reduces OPTIONS traffic significantly
  • Chrome caps at 2 hours; Firefox at 24 hours—values above are silently reduced
  • Cached per origin + URL + request characteristics—not globally
  • Set to 0 or omit during development—caching hides config changes

Debugging

  • CORS error in browser = request reached server and came back—check server logs
  • Preflight failure: server must return 2xx with CORS headers on OPTIONS—404/500 = failure
  • Opaque response in fetch: mode: 'no-cors' succeeds but response is empty—usually not what you want
  • Network tab shows CORS errors; Console shows which header is missing

Common Server Mistakes

  • Only setting CORS headers on main handler, not OPTIONS—preflight fails
  • Setting headers after error response—CORS headers missing on 4xx/5xx breaks error handling
  • Proxy stripping headers—verify headers reach client, not just that server sets them
  • Access-Control-Allow-Origin: "*", "https://example.com"—must be single value, not list

Security

  • Don't reflect Origin header blindly—validate against allowlist first
  • Private Network Access: Chrome requires Access-Control-Allow-Private-Network: true for localhost access from public web
  • CORS doesn't prevent request from being sent—just blocks response reading; server still processes it
  • Sensitive endpoints: don't rely on CORS alone; use authentication + CSRF tokens
安全使用建议
This skill is a documentation-only helper — it won't install software or access secrets. It's low-risk and coherent with its purpose. Before applying the guidance to production, review and implement the recommendations in your server code (validate Origin against an allowlist instead of reflecting it, add Vary: Origin, include CORS headers on OPTIONS and error responses, and explicitly list headers for compatibility). Test preflight caching and credentialed requests across target browsers and ensure proxies/CDNs don't strip headers. Remember: CORS controls whether a browser can read responses — it does not prevent the server from processing requests, so continue to use proper authentication and CSRF protections for sensitive endpoints.
功能分析
Type: OpenClaw Skill Name: cors Version: 1.0.0 The skill bundle provides comprehensive documentation on Cross-Origin Resource Sharing (CORS), covering its configuration, debugging, and security implications. The `SKILL.md` file offers detailed technical advice, including critical security recommendations such as validating the Origin header against an allowlist instead of reflecting it blindly, and emphasizing the need for authentication and CSRF tokens for sensitive endpoints. There is no evidence of malicious intent, data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the AI agent; instead, it promotes secure development practices.
能力评估
Purpose & Capability
The name/description match the SKILL.md content: detailed CORS configuration guidance. There are no unrelated requirements (no env vars, binaries, or installs) that would be inappropriate for a documentation-style skill.
Instruction Scope
SKILL.md is purely prescriptive guidance (headers to set, pitfalls to avoid). It does not instruct the agent to run commands, read files, access unrelated environment variables, or transmit data to external endpoints—no scope creep detected.
Install Mechanism
No install spec and no code files. Because this is instruction-only, nothing will be written to disk or pulled from remote URLs during install.
Credentials
The skill requests no credentials or environment configuration. There are no unexplained secrets or access requests relative to the skill's stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modify other skills or system-wide settings. Normal autonomous invocation is allowed but not problematic here given the skill's benign, read-only nature.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cors
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cors 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
Slug cors
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

CORS 是什么?

Configure Cross-Origin Resource Sharing correctly to avoid security issues and debugging pain. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 818 次。

如何安装 CORS?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cors」即可一键安装,无需额外配置。

CORS 是免费的吗?

是的,CORS 完全免费(开源免费),可自由下载、安装和使用。

CORS 支持哪些平台?

CORS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。

谁开发了 CORS?

由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论