You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by Zeping Bai <bz...@apache.org> on 2022/09/20 10:02:14 UTC

[DISCUSS] How to handle allow_origins configuration conflicts in cors plugin

*Background:*
Currently, APISIX has a cors plugin to address browser cross-domain issues,
which will handle browser requests and dynamically add allow headers.
It contains an allow_origins option for handling client sources, which
allows
both allow_origins (hereafter referred to as text mode) and
allow_origins_by_regex (hereafter referred to as regular mode), but they are
now not mutually exclusive, they now use logic that first checks using text
mode
and returns it directly if the match is successful, and then matches regular
mode if it fails so in effect regular mode is a fallback option for text
mode.

*Problem:*
When we want to use regular mode only without giving preference to text
mode,
you will find that we cannot achieve it through the normal way.
When you use only allow_origins_by_regex without setting the allow_origins
configuration, APISIX automatically adds the default value "*" to
allow_origins, so
it directly bypasses the regular pattern configuration you defined, which
is obviously
wrong and dangerous.
If you must configure it this way, you can only configure an address for
text mode
that can never be accessed, i.e. ensure that text mode never matches. This
is neither
elegant nor secure.

Therefore, I think text mode and regular mode should be mutually exclusive,
and
text mode should not have a default value of "*".


What do you think?

Best regards!
Zeping Bai  @bzp2010

Re: [DISCUSS] How to handle allow_origins configuration conflicts in cors plugin

Posted by Zexuan Luo <sp...@apache.org>.

I am curious about why a break change is needed. The problem is, "use
only allow_origins_by_regex without setting the allow_origins
configuration doesn't work". "Ignoring the text mode when the regular
mode is used
and the text mode is `*` " can solve this problem and bring the least
break change. Making a breaking change will make it tough to backport
a bugfix to LTS version.

Zeping Bai <bz...@apache.org> 于2022年9月21日周三 10:24写道：
>
> >  IMHO, I suggest ignoring the text mode when the regular mode is used
> and the text mode is `*`. This change won't break the existing
> configuration.
>
> Yes, I think we can do that, and I will impose soft restrictions for text
> patterns
> and regular patterns instead of hard restrictions using jsonschema. They
> can still both be configured, but the behavior will be different from the
> original.
>
> > This change will be a break change as we can use both text mode and
> regular mode now and it can work well if the text mode isn't `*`. If
> we make a break change to solve the problem, I am afraid we can't
> backport it to the LTS version.
>
> Emmm I'm not sure how we should do it, in some perspective this issue is
> undoubtedly a bug and we need to have ways to fix it. Maybe we can't
> port it in LTS, but it should be added to the pending release of 3.0.
>
> Zexuan Luo <sp...@apache.org> 于2022年9月21日周三 10:03写道：
>
> > IMHO, I suggest ignoring the text mode when the regular mode is used
> > and the text mode is `*`. This change won't break the existing
> > configuration.
> >
> > > Therefore, I think text mode and regular mode should be mutually
> > exclusive, and
> > text mode should not have a default value of "*".
> >
> > This change will be a break change as we can use both text mode and
> > regular mode now and it can work well if the text mode isn't `*`. If
> > we make a break change to solve the problem, I am afraid we can't
> > backport it to LTS version.
> >
> > Zeping Bai <bz...@apache.org> 于2022年9月20日周二 18:02写道：
> > >
> > > *Background:*
> > > Currently, APISIX has a cors plugin to address browser cross-domain
> > issues,
> > > which will handle browser requests and dynamically add allow headers.
> > > It contains an allow_origins option for handling client sources, which
> > > allows
> > > both allow_origins (hereafter referred to as text mode) and
> > > allow_origins_by_regex (hereafter referred to as regular mode), but they
> > are
> > > now not mutually exclusive, they now use logic that first checks using
> > text
> > > mode
> > > and returns it directly if the match is successful, and then matches
> > regular
> > > mode if it fails so in effect regular mode is a fallback option for text
> > > mode.
> > >
> > > *Problem:*
> > > When we want to use regular mode only without giving preference to text
> > > mode,
> > > you will find that we cannot achieve it through the normal way.
> > > When you use only allow_origins_by_regex without setting the
> > allow_origins
> > > configuration, APISIX automatically adds the default value "*" to
> > > allow_origins, so
> > > it directly bypasses the regular pattern configuration you defined, which
> > > is obviously
> > > wrong and dangerous.
> > > If you must configure it this way, you can only configure an address for
> > > text mode
> > > that can never be accessed, i.e. ensure that text mode never matches.
> > This
> > > is neither
> > > elegant nor secure.
> > >
> > > Therefore, I think text mode and regular mode should be mutually
> > exclusive,
> > > and
> > > text mode should not have a default value of "*".
> > >
> > >
> > > What do you think?
> > >
> > > Best regards!
> > > Zeping Bai  @bzp2010
> >

Re: [DISCUSS] How to handle allow_origins configuration conflicts in cors plugin

Posted by Zeping Bai <bz...@apache.org>.

>  IMHO, I suggest ignoring the text mode when the regular mode is used
and the text mode is `*`. This change won't break the existing
configuration.

Yes, I think we can do that, and I will impose soft restrictions for text
patterns
and regular patterns instead of hard restrictions using jsonschema. They
can still both be configured, but the behavior will be different from the
original.

> This change will be a break change as we can use both text mode and
regular mode now and it can work well if the text mode isn't `*`. If
we make a break change to solve the problem, I am afraid we can't
backport it to the LTS version.

Emmm I'm not sure how we should do it, in some perspective this issue is
undoubtedly a bug and we need to have ways to fix it. Maybe we can't
port it in LTS, but it should be added to the pending release of 3.0.

Zexuan Luo <sp...@apache.org> 于2022年9月21日周三 10:03写道：

> IMHO, I suggest ignoring the text mode when the regular mode is used
> and the text mode is `*`. This change won't break the existing
> configuration.
>
> > Therefore, I think text mode and regular mode should be mutually
> exclusive, and
> text mode should not have a default value of "*".
>
> This change will be a break change as we can use both text mode and
> regular mode now and it can work well if the text mode isn't `*`. If
> we make a break change to solve the problem, I am afraid we can't
> backport it to LTS version.
>
> Zeping Bai <bz...@apache.org> 于2022年9月20日周二 18:02写道：
> >
> > *Background:*
> > Currently, APISIX has a cors plugin to address browser cross-domain
> issues,
> > which will handle browser requests and dynamically add allow headers.
> > It contains an allow_origins option for handling client sources, which
> > allows
> > both allow_origins (hereafter referred to as text mode) and
> > allow_origins_by_regex (hereafter referred to as regular mode), but they
> are
> > now not mutually exclusive, they now use logic that first checks using
> text
> > mode
> > and returns it directly if the match is successful, and then matches
> regular
> > mode if it fails so in effect regular mode is a fallback option for text
> > mode.
> >
> > *Problem:*
> > When we want to use regular mode only without giving preference to text
> > mode,
> > you will find that we cannot achieve it through the normal way.
> > When you use only allow_origins_by_regex without setting the
> allow_origins
> > configuration, APISIX automatically adds the default value "*" to
> > allow_origins, so
> > it directly bypasses the regular pattern configuration you defined, which
> > is obviously
> > wrong and dangerous.
> > If you must configure it this way, you can only configure an address for
> > text mode
> > that can never be accessed, i.e. ensure that text mode never matches.
> This
> > is neither
> > elegant nor secure.
> >
> > Therefore, I think text mode and regular mode should be mutually
> exclusive,
> > and
> > text mode should not have a default value of "*".
> >
> >
> > What do you think?
> >
> > Best regards!
> > Zeping Bai  @bzp2010
>

Re: [DISCUSS] How to handle allow_origins configuration conflicts in cors plugin

Posted by Zexuan Luo <sp...@apache.org>.

IMHO, I suggest ignoring the text mode when the regular mode is used
and the text mode is `*`. This change won't break the existing
configuration.

> Therefore, I think text mode and regular mode should be mutually exclusive, and
text mode should not have a default value of "*".

This change will be a break change as we can use both text mode and
regular mode now and it can work well if the text mode isn't `*`. If
we make a break change to solve the problem, I am afraid we can't
backport it to LTS version.

Zeping Bai <bz...@apache.org> 于2022年9月20日周二 18:02写道：
>
> *Background:*
> Currently, APISIX has a cors plugin to address browser cross-domain issues,
> which will handle browser requests and dynamically add allow headers.
> It contains an allow_origins option for handling client sources, which
> allows
> both allow_origins (hereafter referred to as text mode) and
> allow_origins_by_regex (hereafter referred to as regular mode), but they are
> now not mutually exclusive, they now use logic that first checks using text
> mode
> and returns it directly if the match is successful, and then matches regular
> mode if it fails so in effect regular mode is a fallback option for text
> mode.
>
> *Problem:*
> When we want to use regular mode only without giving preference to text
> mode,
> you will find that we cannot achieve it through the normal way.
> When you use only allow_origins_by_regex without setting the allow_origins
> configuration, APISIX automatically adds the default value "*" to
> allow_origins, so
> it directly bypasses the regular pattern configuration you defined, which
> is obviously
> wrong and dangerous.
> If you must configure it this way, you can only configure an address for
> text mode
> that can never be accessed, i.e. ensure that text mode never matches. This
> is neither
> elegant nor secure.
>
> Therefore, I think text mode and regular mode should be mutually exclusive,
> and
> text mode should not have a default value of "*".
>
>
> What do you think?
>
> Best regards!
> Zeping Bai  @bzp2010