You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/08/05 01:48:52 UTC

[GitHub] [apisix] OnlyPiglet edited a comment on issue #1983: bug: cors when the request is a preflight request we shouldn't set the Access-Control-Allow-Headers *

OnlyPiglet edited a comment on issue #1983:
URL: https://github.com/apache/apisix/issues/1983#issuecomment-668925261


   @ShiningRush 
   the cors plugin has returned all needing CORS headers,but if the allow_headers is * ,the current cors will set 
   Access-Control-Request-Headers:* ，this will be failed when the request is a preflight request.
   
   the currnet code of cors
   
   ```lua
   local function set_cors_headers(conf, ctx)
       local allow_methods = conf.allow_methods
       if allow_methods == "**" then
           allow_methods = "GET,POST,PUT,DELETE,PATCH,HEAD,OPTIONS,CONNECT,TRACE"
       end
   
       core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins)
       core.response.set_header("Access-Control-Allow-Methods", allow_methods)
       core.response.set_header("Access-Control-Allow-Headers", conf.allow_headers)
       core.response.set_header("Access-Control-Max-Age", conf.max_age)
       core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers)
       if conf.allow_credential then
           core.response.set_header("Access-Control-Allow-Credentials", true)
       end
   end
   
       if ctx.var.request_method == "OPTIONS" then
           return 200
       end
   ```
   we should set the  Access-Control-Allow-Credentials *,this will cause a cors error,I am sorry I didn't has a capture of this error.
   we shouldn't  set the Access-Control-Allow-Credentials which are the same of the preflight request like this
   
   ```lua
   local function set_allow_headers_options_method(conf,ctx)
   
       local allow_headers = conf.allow_headers
   
       if allow_headers == "*" or allow_headers == "**" then
   
           local headers = core.request.header(ctx,"Access-Control-Request-Headers")
   
           if headers then
               ngx.header["Access-Control-Allow-Headers"] = headers
           end
   
       end
   
   end
   
   ```
   ```lua
           if ctx.var.request_method == "OPTIONS" then
               set_allow_headers_options_method(conf,ctx)
               return 200
           end
   ```
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org