Process ACCESS_CONTROL_ALLOW_ORIGIN parameter #24225
Conversation
|
Edit: I think I've misread. Retracting. Generally I would recommend avoiding CORS where possible via reverse proxies. |
GiteaBot
added
the
lgtm/need 2
|
Maybe describe a bit what problem you are trying to solve to help us understand why this is needed. I'm no expert on CORS but in the few situations I've dealt with it, I found it easier to just set up reverse proxies to reduce to a single origin and not have CORS in first place, which has many negative effects, like pre-flight requests and such. |
I'm agree that CORS is more flexible and safe. But I didn's succeeded in activating CORS. I explored the sources. It seemed to Me that both CORS and repo.ACCESS_CONTROL_ALLOW_ORIGIN are not realized completly.
I decided to go the simple way: to add I need this feature to read data files from Gitea in some web page. I'd like to load files from Gitea in JavaScript by HTTP request. It's the single domain (My web server). I can use repo.ACCESS_CONTROL_ALLOW_ORIGIN to specify it. In My case is simple and safe. As you obviously understood, I realized sending of I think My PR is useful. |
|
I read the code briefly. At the moment, my thoughts are:
Correct me if I am wrong. |
|
Thank You, wxiaoguang! I'd like to add some details...
So what will be further? I'm novice in Gitea development and in development on Github too... :) |
|
Maybe let's keep this PR open? If you don't mind, I could try this PR on my side and maybe make some changes on it. |
|
I'm agree! I really need this feature! Thank You! I tested it by requests like this: I think specifying a value of It allows both HTTP and HTTPS. But I prepose to add an example in |
Should I reopen this PR? |
pull-request-size
bot
added
the
size/S
modules/context/context.go
Outdated
| if len(setting.Repository.AccessControlAllowOrigin) > 0 { | ||
| origin := strings.ToLower(ctx.Req.Header.Get("Origin")) | ||
| matcher := regexp.MustCompile(`http(s?)://`) | ||
| origin = matcher.ReplaceAllString(origin, "") | ||
| if origin == setting.Repository.AccessControlAllowOrigin { | ||
| header.Set("Access-Control-Allow-Origin", setting.Repository.AccessControlAllowOrigin) | ||
| } | ||
| } |
There was a problem hiding this comment.
TBH, it doesn't look good to me.
Although I think we can respect the Repository.AccessControlAllowOrigin config, but this logic seems strange, it's different from how the AccessControlAllowOrigin is used in httpBase.
There was a problem hiding this comment.
Although I think we can respect the Repository.AccessControlAllowOrigin config, but this logic seems strange, it's different from how the AccessControlAllowOrigin is used in
httpBase.
You mean removing of a protocol prefix, don't You? I'm agree that logics should be the same. Do You think that this removing is excess?
There was a problem hiding this comment.
You mean removing of a protocol prefix
No, I mean this logic is different from how the AccessControlAllowOrigin is used in httpBase.
gitea/routers/web/repo/http.go
Line 38 in 04347eb
I believe every single line should have its clear purpose and meaning. If httpBase is correct, then new code should follow it (extract the common part to a new function, to avoid duplicate code). If your new code is correct, then is old httpBase incorrect and should be fixed? If httpBase and your code are both correct, then what's the difference, why they should be written differently (which causes inconsistent behavior for the single config option) ?
Quote:
repo/http.go: httpBase() sends a header Access-Control-Allow-Origin: <my_domain> on requests from any domains (as I see).
I haven't looked into details, but there is a standard: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
There was a problem hiding this comment.
I believe every single line should have its clear purpose and meaning. If httpBase is correct, then new code should follow it (extract the common part to a new function, to avoid duplicate code). If your new code is correct, then is old httpBase incorrect and should be fixed? If httpBase and your code are both correct, then what's the difference, why they should be written differently (which causes inconsistent behavior for the single config option)?
You're quite right! But I see the following facts:
http.goimplements Git Smart HTTP protocol. This module doesn't take part in responsing to usual requests from web browser or other simple clients.httpBasesendsAccess-Control-Allow-Originto all clients. It's wrong. Someone should correct it by another PR. I'm better just to add TODO remark inhttp.go, I think.http.goandcontext.goreally have some similar code. This fragment could be located in a separate function. But I think it is not useful right now. It should be a part of further refactoring. The changes could be much more wide. I'd like to minimize My changes now. But I can add one more TODO remark about this idea.
What do You think?
There was a problem hiding this comment.
At least, according to MDN: Access-Control-Allow-Origin: <origin> , https://developer.mozilla.org/en-US/docs/Glossary/Origin , the code origin = matcher.ReplaceAllString(origin, "") doesn't look right.
I would suggest to use a strict (and correct) CORS implementation.
There was a problem hiding this comment.
To fix the httpBase problem, I proposed #24303 , using a standard CORS package could be better.
after it gets merged, I think you can just add repo.CorsHandler() to m.Group("/raw", func() {, then the CORS should work.
There was a problem hiding this comment.
ps: usually the PR doesn't need to sync with main frequently (unless it is out-dated for long time, or there are conflicts). Just leave it there, as long as the PR is ready and approved, maintainers could help to sync & update & merge.
pull-request-size
bot
added
size/XS
ACCESS_CONTROL_ALLOW_ORIGINparameter fromapp.ini;Access-Control-Allow-Originheader for request with the same domain inORIGINheader.