-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Event handler + cors + headers #4589
Comments
Prior to 2.16.1 any request without an 2.16.1 introduced the multiple CORS origins. A request without an Also any request with an from aws_lambda_powertools.event_handler import APIGatewayRestResolver, CORSConfig, Response
app = APIGatewayRestResolver(CORSConfig())
def handler(event, context):
return app.resolve(event, context)
@app.get("/foo")
def _():
return Response(200) event without origin: {
"httpMethod": "GET",
"path": "/foo"
} response pre 2.16.1{
"body": None,
"isBase64Encoded": False,
"multiValueHeaders": {
"Access-Control-Allow-Headers": [
"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"
],
"Access-Control-Allow-Origin": [
"*"
]
},
"statusCode": 200
} response post 2.16.1{
"body": None,
"isBase64Encoded": False,
"multiValueHeaders": {},
"statusCode": 200
} event with origin: {
"httpMethod": "GET",
"path": "/foo"
"headers": {"Origin": "https://example.com"},
} response pre 2.16.1{
"body": None,
"isBase64Encoded": False,
"multiValueHeaders": {
"Access-Control-Allow-Headers": [
"Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key"
],
"Access-Control-Allow-Origin": [
"*"
]
},
"statusCode": 200
} response post 2.16.1 {
'body': None,
'isBase64Encoded': False,
'multiValueHeaders': {
'Access-Control-Allow-Headers': [
'Authorization,Content-Type,X-Amz-Date,X-Amz-Security-Token,X-Api-Key',
],
'Access-Control-Allow-Origin': [
'https://example.com',
],
},
'statusCode': 200,
} |
Assigning to @sthulb to investigate |
hey @Wurstnase, thank you for taking the time to add more context that was missing from the original author - I have some questions.
To be sure we're on the same page, ideally the behavior should be (to avoid security issues):
If we were to return
That's expected by CORS practices, though we missed that apparently in earlier versions. If we were to do it, we'd throw away CORS security guarantees for cross-origin requests; a request without Origin means it was either not cross-origin to begin with OR done in error/intentionally for attack surface discovery. Please let me know if that's incorrect or if I misunderstood |
So, the third scenario is different to the current behavior and should be changed. The rest looks ok to me. Do we need to handle: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#sect1
|
@sthulb handling a regression now w/ Leandro and an internal thing - can you hash it out with Nico the best way forward plz? |
|
This is now released under 2.41.0 version! |
Expected Behaviour
Opening this issue on behalf of @pseudochaos
#4385 (comment)
Current Behaviour
Need more information.
Code snippet
Possible Solution
Need more information.
Steps to Reproduce
Need more information.
Powertools for AWS Lambda (Python) version
2.39.1
AWS Lambda function runtime
3.11
Packaging format used
PyPi
Debugging logs
No response
The text was updated successfully, but these errors were encountered: