You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ma...@apache.org on 2018/09/18 17:18:36 UTC
[incubator-openwhisk] branch master updated: Add User-Agent to list
of allowed CORS headers. (#4010)
This is an automated email from the ASF dual-hosted git repository.
markusthoemmes pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new 2b3f586 Add User-Agent to list of allowed CORS headers. (#4010)
2b3f586 is described below
commit 2b3f586193ffcc081eb8df19219c80f48d2fa6e9
Author: Nick Mitchell <st...@users.noreply.github.com>
AuthorDate: Tue Sep 18 13:18:27 2018 -0400
Add User-Agent to list of allowed CORS headers. (#4010)
Fixes #4009
---
.../controller/src/main/scala/whisk/core/controller/RestAPIs.scala | 7 +++++--
.../src/main/scala/whisk/core/controller/WebActions.scala | 2 +-
docs/rest_api.md | 2 +-
docs/webactions.md | 2 +-
tests/src/test/scala/services/HeadersTests.scala | 2 +-
tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala | 2 +-
.../test/scala/whisk/core/controller/test/WebActionsApiTests.scala | 2 +-
7 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
index 3f69c83..5199889 100644
--- a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
@@ -19,6 +19,7 @@ package whisk.core.controller
import akka.actor.ActorSystem
import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
+import akka.http.scaladsl.model.HttpMethods.{DELETE, GET, HEAD, POST, PUT}
import akka.http.scaladsl.model.StatusCodes._
import akka.http.scaladsl.model.Uri
import akka.http.scaladsl.model.headers._
@@ -150,8 +151,10 @@ protected[controller] object RestApiCommons {
*/
protected[controller] trait RespondWithHeaders extends Directives {
val allowOrigin = `Access-Control-Allow-Origin`.*
- val allowHeaders = `Access-Control-Allow-Headers`("Authorization", "Content-Type")
- val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders)
+ val allowHeaders = `Access-Control-Allow-Headers`("*")
+ val allowMethods =
+ `Access-Control-Allow-Methods`(GET, DELETE, POST, PUT, HEAD)
+ val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders, allowMethods)
}
case class WhiskInformation(buildNo: String, date: String)
diff --git a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
index 6f52657..e03bdc8 100644
--- a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
@@ -383,7 +383,7 @@ trait WhiskWebActionsApi extends Directives with ValidateRequestSize with PostAc
List(`Access-Control-Allow-Origin`.*, `Access-Control-Allow-Methods`(OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH))
private val defaultCorsWithAllowHeader = {
- defaultCorsBaseResponse :+ `Access-Control-Allow-Headers`(`Authorization`.name, `Content-Type`.name)
+ defaultCorsBaseResponse :+ `Access-Control-Allow-Headers`("*")
}
private def defaultCorsResponse(headers: Seq[HttpHeader]): List[HttpHeader] = {
diff --git a/docs/rest_api.md b/docs/rest_api.md
index b6c04a2..28932be 100644
--- a/docs/rest_api.md
+++ b/docs/rest_api.md
@@ -82,7 +82,7 @@ curl -u USERNAME:PASSWORD https://openwhisk.ng.bluemix.net/api/v1/namespaces/whi
In this example the authentication was passed using the `-u` flag, you can pass this value also as part of the URL as `https://$AUTH@{APIHOST}`
-The OpenWhisk API supports request-response calls from web clients. OpenWhisk responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. Currently, all origins are allowed (that is, Access-Control-Allow-Origin is "`*`") and Access-Control-Allow-Headers yield Authorization and Content-Type.
+The OpenWhisk API supports request-response calls from web clients. OpenWhisk responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. Currently, all origins are allowed (that is, Access-Control-Allow-Origin is "`*`"), the standard set of methods are allowed (that is, Access-Control-Allow-Methods is "`GET, DELETE, POST, PUT, HEAD`"), and Access-Control-Allow-Headers yields "`*`".
**Attention:** Because OpenWhisk currently supports only one key per namespace, it is not recommended to use CORS beyond simple experiments. Use [Web Actions](webactions.md) or [API Gateway](apigateway.md) to expose your actions to the public and not use the OpenWhisk authorization key for client applications that require CORS.
diff --git a/docs/webactions.md b/docs/webactions.md
index 3e98fe0..547fcba 100644
--- a/docs/webactions.md
+++ b/docs/webactions.md
@@ -450,7 +450,7 @@ if it is present in the HTTP request. Otherwise, a default value is generated as
```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH
-Access-Control-Allow-Headers: Authorization, Content-Type
+Access-Control-Allow-Headers: *
```
Alternatively, OPTIONS requests can be handled manually by a web action. To enable this option add a
diff --git a/tests/src/test/scala/services/HeadersTests.scala b/tests/src/test/scala/services/HeadersTests.scala
index 42c51c3..c0485de 100644
--- a/tests/src/test/scala/services/HeadersTests.scala
+++ b/tests/src/test/scala/services/HeadersTests.scala
@@ -64,7 +64,7 @@ class HeadersTests extends FlatSpec with Matchers with ScalaFutures with WskActo
val creds = BasicHttpCredentials(whiskAuth.fst, whiskAuth.snd)
val allMethods = Some(Set(DELETE.name, GET.name, POST.name, PUT.name))
val allowOrigin = `Access-Control-Allow-Origin`.*
- val allowHeaders = `Access-Control-Allow-Headers`("Authorization", "Content-Type")
+ val allowHeaders = `Access-Control-Allow-Headers`("*")
val url = Uri(s"$controllerProtocol://${WhiskProperties.getBaseControllerAddress()}")
def request(method: HttpMethod, uri: Uri, headers: Option[Seq[HttpHeader]] = None): Future[HttpResponse] = {
diff --git a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
index 61f374b..700f87e 100644
--- a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
+++ b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
@@ -204,7 +204,7 @@ class WskWebActionsTests extends TestHelpers with WskTestHelpers with RestUtil w
response.statusCode shouldBe 200
response.header("Access-Control-Allow-Origin") shouldBe "*"
response.header("Access-Control-Allow-Methods") shouldBe "OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH"
- response.header("Access-Control-Allow-Headers") shouldBe "Authorization, Content-Type"
+ response.header("Access-Control-Allow-Headers") shouldBe "*"
response.header("Location") shouldBe null
response.header("Set-Cookie") shouldBe null
}
diff --git a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
index ba9e2cc..deee6fe 100644
--- a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
+++ b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
@@ -1502,7 +1502,7 @@ trait WebActionsApiBaseTests extends ControllerTestCommon with BeforeAndAfterEac
if (testHeader.name == `Access-Control-Request-Headers`.name) {
header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: x-custom-header"
} else {
- header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: Authorization, Content-Type"
+ header("Access-Control-Allow-Headers").get.toString shouldBe "Access-Control-Allow-Headers: *"
}
}
}