You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "Alexander Shorin (JIRA)" <ji...@apache.org> on 2015/06/29 20:40:04 UTC

[jira] [Resolved] (COUCHDB-2705) Cannot enable CORS in dev/run

     [ https://issues.apache.org/jira/browse/COUCHDB-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Shorin resolved COUCHDB-2705.
---------------------------------------
       Resolution: Fixed
         Assignee: Russell Branca
    Fix Version/s: 2.0.0

CORs is now implemented for chttpd. Should be fixed.

> Cannot enable CORS in dev/run
> -----------------------------
>
>                 Key: COUCHDB-2705
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2705
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: HTTP Interface
>            Reporter: Nolan Lawson
>            Assignee: Russell Branca
>             Fix For: 2.0.0
>
>
> Steps to repro:
> 1. Run [this code | https://github.com/pouchdb/pouchdb/blob/29142852bad9cf70cb68053760ee08baa22919d6/bin/run-couch-master-on-travis.sh] to download the latest CouchDB master and install on Debian.
> 2. Run {{npm install -g add-cors-to-couchdb && add-cors-to-couchdb http://localhost:15986}}
> 3. Run the PouchDB test suite ({{hub clone pouchdb/pouchdb && cd pouchdb && npm install && COUCH_HOST=http://localhost:15984 SERVER=couchdb-master npm run dev}})
> 4. Go to {{localhost:8000/tests/integration}}
> Expected results: CORS is configured properly
> Actual results: the server is sending back duplicated response headers for `Access-Control-Allow-Origin` and `Access-Control-Allow-Credentials` so the browser (in this case Chrome) fails with:
> {code}
> The 'Access-Control-Allow-Origin' header contains multiple values 'http://127.0.0.1:8000, http://127.0.0.1:8000', but only one is allowed. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
> {code}
> More context (from IRC):
> {code}
> [2015-05-30 11:47:23] <nolanlawson> rnewson
> [2015-05-30 11:49:03] → tilgovi joined (~randall@couchdb/committer/tilgovi)
> [2015-05-30 11:49:03] * ChanServ set +v tilgovi
> [2015-05-30 11:51:28] <rnewson> correct, you need *5984 to work
> [2015-05-30 11:51:49] <rnewson> *5986 won't be available to users (would love to get rid of it entirely)
> [2015-05-30 11:53:11] <nolanlawson> rnewson: so how do I enable cors?
> [2015-05-30 11:53:19] → mandric joined (~mandric@179.154.222.21)
> [2015-05-30 11:54:29] <rnewson> hrm, same way (but you have to do every node), I think.
> [2015-05-30 11:54:41] <rnewson> chttpd_cors calls down to couch_httpd_cors, at least.
> [2015-05-30 11:55:21] <rnewson> enable_cors() ->
> [2015-05-30 11:55:21] <rnewson>     get_bool_config("httpd", "enable_cors", false).
> [2015-05-30 11:55:33] <rnewson> ah, which looks broken
> [2015-05-30 11:55:36] <rnewson> should be "false"
> [2015-05-30 11:56:05] <rnewson> hm, maybe not. still, awkward to have that there and not in config itself
> [2015-05-30 11:56:40] <nolanlawson> hm, I see ./rel/overlay/etc/{local,default}.ini and ./dev/lib/node1/etc/{local,default}.ini and ./src/mem3/test/01-config-default.ini
> [2015-05-30 11:56:52] <nolanlawson> I tried modifying the /dev/lib/node1 one, but it just gets wiped when restarted
> [2015-05-30 11:57:00] <nolanlawson> and seems to have no impact if I change it while it's running
> [2015-05-30 11:59:58] <rnewson> overlay/etc/*.ini is copied to the nodes, so you want to edit the overlay ones
> [2015-05-30 12:00:14] <rnewson> or use :[123]5986/_config PUt's
> [2015-05-30 12:02:01] → jensnockert joined (~Jens@84.219.248.21)
> [2015-05-30 12:02:30] ⇐ jensnockert quit (~Jens@84.219.248.21): Remote host closed the connection
> [2015-05-30 12:07:30] <rnewson> and couch has never read the .ini after boot, so that's expected.
> [2015-05-30 12:10:00] <nolanlawson> rnewson: well, PUTing on 15986 seems to be getting me further than before
> [2015-05-30 12:10:06] <nolanlawson> but now Chrome says: The 'Access-Control-Allow-Origin' header contains multiple values 'http://127.0.0.1:8000, http://127.0.0.1:8000', but only one is allowed. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
> [2015-05-30 12:10:20] <rnewson> hrm
> [2015-05-30 12:10:36] <rnewson> we're rapidly reaching the end of my cors knowledge, but let's see...
> [2015-05-30 12:11:03] <nolanlawson> yeah, AFAIK when I use the defaults from add-cors-to-couchdb
> [2015-05-30 12:11:08] <nolanlawson> (https://github.com/pouchdb/add-cors-to-couchdb)
> [2015-05-30 12:11:27] <nolanlawson> then couchdb should just echo the host, which is pretty much the only 100% guaranteed way to get all browsers to respect cors
> [2015-05-30 12:11:28] → mcqueenorama1 joined (~mcqueenor@c-50-161-22-49.hsd1.ca.comcast.net)
> [2015-05-30 12:11:36] <nolanlawson> seems to be echoing it twice, but not sure how
> [2015-05-30 12:11:50] <rnewson> can you show the raw response?
> [2015-05-30 12:12:41] → anaran joined (~Thunderbi@port-92-194-103-172.dynamic.qsc.de)
> [2015-05-30 12:13:10] <nolanlawson> rnewson: https://gist.github.com/nolanlawson/d5599c03e07273eedabe
> [2015-05-30 12:13:30] <nolanlawson> seems to also be sending back Access-Control-Allow-Credentials:true, true
> [2015-05-30 12:14:00] <nolanlawson> all I'm doing to repro this is running add-cors-to-couchdb http://localhost:15986, which is equivalent to the curl commands shown in the github page for that project
> [2015-05-30 12:14:39] ⇐ araujo quit (~araujo@gentoo/developer/araujo): Quit: Leaving
> [2015-05-30 12:18:48] <rnewson> sure, did you do those commands once each to each node?
> [2015-05-30 12:19:29] <rnewson> sigh
> [2015-05-30 12:19:36] <rnewson> dev/run on asf master seems to be broken right now.
> [2015-05-30 12:24:28] ⇐ mandric quit (~mandric@179.154.222.21): Quit: Computer has gone to sleep.
> [2015-05-30 12:24:30] <nolanlawson> rnewson: :(
> [2015-05-30 12:24:44] <nolanlawson> no, I only did it to localhost:15986, because the others were not responding
> [2015-05-30 12:24:45] <rnewson> getting closer
> [2015-05-30 12:24:52] <rnewson> hm
> [2015-05-30 12:25:01] <rnewson> well, with dev/run broken, I'm not taking any bets
> [2015-05-30 12:25:07] <rnewson> give me a few minute
> [2015-05-30 12:25:11] <nolanlawson> okay, thanks a lot!
> [2015-05-30 12:30:51] <rnewson> ok, updated rebar and now things work (fuck rebar, seriously)
> [2015-05-30 12:30:56] <rnewson> trying cors now
> [2015-05-30 12:31:48] <rnewson> ok, configured for it with the settings on https://github.com/pouchdb/add-cors-to-couchdb
> [2015-05-30 12:32:46] <rnewson> I don't see where you're adding 127.0.0.1:8000 as an allowed origin.
> [2015-05-30 12:32:52] <rnewson> is that a custom step you've done locally?
> [2015-05-30 12:33:42] <rnewson> nvm, reproduced the problem.
> [2015-05-30 12:33:57] → fdmanana joined (~fdmanana@couchdb/committer/fdmanana)
> [2015-05-30 12:33:57] * ChanServ set +v fdmanana
> [2015-05-30 12:34:49] <rnewson> https://gist.github.com/rnewson/8f9833ebdab9cf389dbe
> [2015-05-30 12:38:11] <rnewson> heh, cute. make_cors_headers is called twice.
> [2015-05-30 12:38:13] <rnewson> that'd do it
> [2015-05-30 12:38:55] <nolanlawson> rnewson: nice detective work :)
> [2015-05-30 12:39:18] <rnewson> hold the applause till the end pls
> [2015-05-30 12:44:58] <nolanlawson> hahaha
> [2015-05-30 12:48:17] <rnewson> yeah, I see it. hrmmf
> [2015-05-30 12:48:36] ⇐ mcqueenorama1 quit (~mcqueenor@c-50-161-22-49.hsd1.ca.comcast.net): Remote host closed the connection
> [2015-05-30 12:48:39] ⇐ tilgovi quit (~randall@couchdb/committer/tilgovi): Ping timeout: 256 seconds
> [2015-05-30 12:49:03] <rnewson> chttpd calls couch_httpd functions, and both call cors_headers
> [2015-05-30 12:49:13] <rnewson> and then mochiweb combines them as you've seen
> [2015-05-30 12:49:28] <rnewson> in dbcore, we only have the cors_headers call in chttpd
> [2015-05-30 12:49:56] <rnewson> that is, we (cloudant) didn't implement cors for the 5986 private side (for obvious reasons)
> [2015-05-30 12:50:10] <rnewson> but the couchdb 2.0 version attempts it, and breaks both as a consequence.
> [2015-05-30 12:50:47] <rnewson> do you have the strength to raise a JIRA ticket?
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)