You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by "Nolan Lawson (JIRA)" <ji...@apache.org> on 2015/05/30 19:02:17 UTC

[jira] [Created] (COUCHDB-2705) Cannot enable CORS in dev/run

Nolan Lawson created COUCHDB-2705:
-------------------------------------

             Summary: Cannot enable CORS in dev/run
                 Key: COUCHDB-2705
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2705
             Project: CouchDB
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: Database Core
            Reporter: Nolan Lawson


Steps to repro:

1. Run [this code | https://github.com/pouchdb/pouchdb/blob/29142852bad9cf70cb68053760ee08baa22919d6/bin/run-couch-master-on-travis.sh] to download the latest CouchDB master and install on Debian.
2. Run {{npm install -g add-cors-to-couchdb && add-cors-to-couchdb http://localhost:15986}}
3. Run the PouchDB test suite ({{hub clone pouchdb/pouchdb && cd pouchdb && npm install && COUCH_HOST=http://localhost:15984 SERVER=couchdb-master npm run dev}})
4. Go to {{localhost:8000/tests/integration}}

Expected results: CORS is configured properly

Actual results: the server is sending back duplicated response headers for `Access-Control-Allow-Origin` and `Access-Control-Allow-Credentials` so the browser (in this case Chrome) fails with:

{code}
The 'Access-Control-Allow-Origin' header contains multiple values 'http://127.0.0.1:8000, http://127.0.0.1:8000', but only one is allowed. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
{code}

More context (from IRC):

{code}
[2015-05-30 11:47:23] <nolanlawson> rnewson
[2015-05-30 11:49:03] → tilgovi joined (~randall@couchdb/committer/tilgovi)
[2015-05-30 11:49:03] * ChanServ set +v tilgovi
[2015-05-30 11:51:28] <rnewson> correct, you need *5984 to work
[2015-05-30 11:51:49] <rnewson> *5986 won't be available to users (would love to get rid of it entirely)
[2015-05-30 11:53:11] <nolanlawson> rnewson: so how do I enable cors?
[2015-05-30 11:53:19] → mandric joined (~mandric@179.154.222.21)
[2015-05-30 11:54:29] <rnewson> hrm, same way (but you have to do every node), I think.
[2015-05-30 11:54:41] <rnewson> chttpd_cors calls down to couch_httpd_cors, at least.
[2015-05-30 11:55:21] <rnewson> enable_cors() ->
[2015-05-30 11:55:21] <rnewson>     get_bool_config("httpd", "enable_cors", false).
[2015-05-30 11:55:33] <rnewson> ah, which looks broken
[2015-05-30 11:55:36] <rnewson> should be "false"
[2015-05-30 11:56:05] <rnewson> hm, maybe not. still, awkward to have that there and not in config itself
[2015-05-30 11:56:40] <nolanlawson> hm, I see ./rel/overlay/etc/{local,default}.ini and ./dev/lib/node1/etc/{local,default}.ini and ./src/mem3/test/01-config-default.ini
[2015-05-30 11:56:52] <nolanlawson> I tried modifying the /dev/lib/node1 one, but it just gets wiped when restarted
[2015-05-30 11:57:00] <nolanlawson> and seems to have no impact if I change it while it's running
[2015-05-30 11:59:58] <rnewson> overlay/etc/*.ini is copied to the nodes, so you want to edit the overlay ones
[2015-05-30 12:00:14] <rnewson> or use :[123]5986/_config PUt's
[2015-05-30 12:02:01] → jensnockert joined (~Jens@84.219.248.21)
[2015-05-30 12:02:30] ⇐ jensnockert quit (~Jens@84.219.248.21): Remote host closed the connection
[2015-05-30 12:07:30] <rnewson> and couch has never read the .ini after boot, so that's expected.
[2015-05-30 12:10:00] <nolanlawson> rnewson: well, PUTing on 15986 seems to be getting me further than before
[2015-05-30 12:10:06] <nolanlawson> but now Chrome says: The 'Access-Control-Allow-Origin' header contains multiple values 'http://127.0.0.1:8000, http://127.0.0.1:8000', but only one is allowed. Origin 'http://127.0.0.1:8000' is therefore not allowed access.
[2015-05-30 12:10:20] <rnewson> hrm
[2015-05-30 12:10:36] <rnewson> we're rapidly reaching the end of my cors knowledge, but let's see...
[2015-05-30 12:11:03] <nolanlawson> yeah, AFAIK when I use the defaults from add-cors-to-couchdb
[2015-05-30 12:11:08] <nolanlawson> (https://github.com/pouchdb/add-cors-to-couchdb)
[2015-05-30 12:11:27] <nolanlawson> then couchdb should just echo the host, which is pretty much the only 100% guaranteed way to get all browsers to respect cors
[2015-05-30 12:11:28] → mcqueenorama1 joined (~mcqueenor@c-50-161-22-49.hsd1.ca.comcast.net)
[2015-05-30 12:11:36] <nolanlawson> seems to be echoing it twice, but not sure how
[2015-05-30 12:11:50] <rnewson> can you show the raw response?
[2015-05-30 12:12:41] → anaran joined (~Thunderbi@port-92-194-103-172.dynamic.qsc.de)
[2015-05-30 12:13:10] <nolanlawson> rnewson: https://gist.github.com/nolanlawson/d5599c03e07273eedabe
[2015-05-30 12:13:30] <nolanlawson> seems to also be sending back Access-Control-Allow-Credentials:true, true
[2015-05-30 12:14:00] <nolanlawson> all I'm doing to repro this is running add-cors-to-couchdb http://localhost:15986, which is equivalent to the curl commands shown in the github page for that project
[2015-05-30 12:14:39] ⇐ araujo quit (~araujo@gentoo/developer/araujo): Quit: Leaving
[2015-05-30 12:18:48] <rnewson> sure, did you do those commands once each to each node?
[2015-05-30 12:19:29] <rnewson> sigh
[2015-05-30 12:19:36] <rnewson> dev/run on asf master seems to be broken right now.
[2015-05-30 12:24:28] ⇐ mandric quit (~mandric@179.154.222.21): Quit: Computer has gone to sleep.
[2015-05-30 12:24:30] <nolanlawson> rnewson: :(
[2015-05-30 12:24:44] <nolanlawson> no, I only did it to localhost:15986, because the others were not responding
[2015-05-30 12:24:45] <rnewson> getting closer
[2015-05-30 12:24:52] <rnewson> hm
[2015-05-30 12:25:01] <rnewson> well, with dev/run broken, I'm not taking any bets
[2015-05-30 12:25:07] <rnewson> give me a few minute
[2015-05-30 12:25:11] <nolanlawson> okay, thanks a lot!
[2015-05-30 12:30:51] <rnewson> ok, updated rebar and now things work (fuck rebar, seriously)
[2015-05-30 12:30:56] <rnewson> trying cors now
[2015-05-30 12:31:48] <rnewson> ok, configured for it with the settings on https://github.com/pouchdb/add-cors-to-couchdb
[2015-05-30 12:32:46] <rnewson> I don't see where you're adding 127.0.0.1:8000 as an allowed origin.
[2015-05-30 12:32:52] <rnewson> is that a custom step you've done locally?
[2015-05-30 12:33:42] <rnewson> nvm, reproduced the problem.
[2015-05-30 12:33:57] → fdmanana joined (~fdmanana@couchdb/committer/fdmanana)
[2015-05-30 12:33:57] * ChanServ set +v fdmanana
[2015-05-30 12:34:49] <rnewson> https://gist.github.com/rnewson/8f9833ebdab9cf389dbe
[2015-05-30 12:38:11] <rnewson> heh, cute. make_cors_headers is called twice.
[2015-05-30 12:38:13] <rnewson> that'd do it
[2015-05-30 12:38:55] <nolanlawson> rnewson: nice detective work :)
[2015-05-30 12:39:18] <rnewson> hold the applause till the end pls
[2015-05-30 12:44:58] <nolanlawson> hahaha
[2015-05-30 12:48:17] <rnewson> yeah, I see it. hrmmf
[2015-05-30 12:48:36] ⇐ mcqueenorama1 quit (~mcqueenor@c-50-161-22-49.hsd1.ca.comcast.net): Remote host closed the connection
[2015-05-30 12:48:39] ⇐ tilgovi quit (~randall@couchdb/committer/tilgovi): Ping timeout: 256 seconds
[2015-05-30 12:49:03] <rnewson> chttpd calls couch_httpd functions, and both call cors_headers
[2015-05-30 12:49:13] <rnewson> and then mochiweb combines them as you've seen
[2015-05-30 12:49:28] <rnewson> in dbcore, we only have the cors_headers call in chttpd
[2015-05-30 12:49:56] <rnewson> that is, we (cloudant) didn't implement cors for the 5986 private side (for obvious reasons)
[2015-05-30 12:50:10] <rnewson> but the couchdb 2.0 version attempts it, and breaks both as a consequence.
[2015-05-30 12:50:47] <rnewson> do you have the strength to raise a JIRA ticket?
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)