You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/06/28 09:15:47 UTC
[GitHub] [apisix] azura27 opened a new issue #4496: bug: cors cannot set config with credential true, allow_headers *
azura27 opened a new issue #4496:
URL: https://github.com/apache/apisix/issues/4496
### Issue description
### Environment
Bug report without environment information will be ignored or closed.
* apisix version (cmd: `apisix version`): 2.0
* OS (cmd: `uname -a`):
* OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): 1.17.8.2
* etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API): 3.13
* apisix-dashboard version, if have:
* luarocks version, if the issue is about installation (cmd: `luarocks --version`):
### Minimal test code / Steps to reproduce the issue
Bug report without steps to reproduce will be ignored or closed.
1. PUT CMD to admin API to set cors plugin open, config allow_credential true, allow_headers "*"
2. Failed
3.
### What's the actual result? (including assertion message & call stack if applicable)
Failed to set with error messgae: you can not set '*' for other option when 'allow_credential' is true
### What's the expected result?
set successfully, as the doc of "HTTP ACCESS CONTROL ALLOW" (https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CORS)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 closed issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 closed issue #4496:
URL: https://github.com/apache/apisix/issues/4496
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870175347
> You can learn more detail about `Access-Control-Allow-Origin` in [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives) and [CORSNotSupportingCredentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials)
NOT find the evidence either. In our product environment, this is not suitable, and in similar gateway server KONG, the headers config onliy limit origin. We've remove other headers' limitation in our own ENV. If this is the design, then take this issue as an suggestion
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870169223
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush edited a comment on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush edited a comment on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870187389
BTW: I compared the Chinese and English versions of [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives), and found that the Chinese version did not mention wildcard related matters. Maybe you are viewing its Chinese version page?
English version:
```
*
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
```
Chinese version:
```
*
对于不需具备凭证(credentials)的请求,服务器会以“*”作为通配符,从而允许所有域都具有访问资源的权限。
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870171425
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-869600548
@azura27 This is by design, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials for detais.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870186030
OK, got it. my focus is origin (the value tells browsers to allow requesting code from any **origin** to access the resource), and yours is this sentence "for requests without credentials, the literal value "*" can be specified, as a wildcard" .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870169223
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870187389
BTW: I compared the Chinese and English versions of [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives), and found that the Chinese version did not mention wildcard related matters. Maybe you are viewing its Chinese version page?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870183718
>For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. **Attempting to use the wildcard with credentials will result in an error**.
I believe the information I posted has been described clearly enough, please read it carefully.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870171425
You can learn more detail about `Access-Control-Allow-Origin` in [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives) and [CORSNotSupportingCredentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-869660452
> @azura27 This is by design, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials for detais.
This DOC only says "Access-Control-Allow-Origin" should not be “*”, not all other headers should not be "*". Am I got the right link: "Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870373691
OK, thanks a lot
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 commented on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 commented on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-869660452
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] ShiningRush edited a comment on issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
ShiningRush edited a comment on issue #4496:
URL: https://github.com/apache/apisix/issues/4496#issuecomment-870187389
BTW: I compared the Chinese and English versions of [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives), and found that the Chinese version did not mention wildcard related matters. Maybe you are viewing its Chinese version page?
English version:
```
*
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
```
Chinese version:
```
*
对于不需具备凭证(credentials)的请求,服务器会以“*”作为通配符,从而允许所有域都具有访问资源的权限。
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] azura27 closed issue #4496: bug: cors cannot set config with credential true, allow_headers *
Posted by GitBox <gi...@apache.org>.
azura27 closed issue #4496:
URL: https://github.com/apache/apisix/issues/4496
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org