-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow_cors may break CORS #93
Labels
Comments
Thanks for so detailed report @nezed! |
any updates on this? |
@hagen1778 any updates on this? |
matthieugouel
added a commit
to matthieugouel/chproxy
that referenced
this issue
Dec 1, 2024
…aders Fixes ContentSquare#93. The `Access-Control-Allow-Origin` was set before on the response before the proxy call, and ClickHouse was returning the response with its own `Access-Control-Allow-Origin` (in my case, "*"). So, having `allow_cors: true` was eventually returning two `Access-Control-Allow-Origin`, one from chproxy and one from ClickHouse. This commit just move the `"Access-Control-Allow-Origin` after the proxy call, overriding the value returned by ClickHouse. If `allow_cors: false`, chproxy does not change the value (so it can be, I believe, any value set by ClickHouse), else, with `allow_cors: true`, it will override to either the value of `Origin` request if any or else `*`.
13 tasks
matthieugouel
added a commit
to matthieugouel/chproxy
that referenced
this issue
Dec 13, 2024
…eaders Fixes ContentSquare#93. The `Access-Control-Allow-Origin` was set before on the response before the proxy call, and ClickHouse was returning the response with its own `Access-Control-Allow-Origin` (in my case, "*"). So, having `allow_cors: true` was eventually returning two `Access-Control-Allow-Origin`, one from chproxy and one from ClickHouse. This commit just move the `"Access-Control-Allow-Origin` after the proxy call, overriding the value returned by ClickHouse. If `allow_cors: false`, chproxy does not change the value (so it can be, I believe, any value set by ClickHouse), else, with `allow_cors: true`, it will override to either the value of `Origin` request if any or else `*`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
users[].allow_cors = true
may lead to multipleAccess-Control-Allow-Origin
headersActual behaviour:
Responses with multiple headers is rejected by Chrome browser with following error:
Steps to reproduce:
add_http_cors_header = 1
is default behaviour for tabix.io and grafana-clickhouse plugin, also it may be set as default for some users.Access-Control-Allow-Origin: *
header.users[].allow_cors = true
leads to injecting secondAccess-Control-Allow-Origin: origin
header.Expected behaviour
One of this
users[].allow_cors = true
then drop all Allow-Origin headers in source response if any and write single Allow-Origin header in same manner as chproxy does nowusers[].allow_cors = false
then do nothing (user may expect that add_http_cors_header will take effect and experience troubles if chproxy changes this behaviour)For me option 2 looks way better, at least because it respects real Origin header value from client
The text was updated successfully, but these errors were encountered: