-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS preflight requests to RPC API with custom headers #7667
Comments
This seems to be still an issue more than a year later. It works fine with http://localhost:5001/api/v0/pubsub/sub?arg=udGVzdA but not with http://localhost:5001/api/v0/pubsub/pub?arg=udGVzdA It works through cURL though.
|
You should never expose your RPC API to the entire internet. That being said, CORS support in go-ipfs is the bare minimum to have it work on Gateways (I think we still use what was added in 2016 as a temporary fix), RPC API was never a priority because it is not intended for direct consumption in browser anyway. I think this issue is a good opportunity to take a loot at CORS in general: make sure we have all behaviors covered with tests, and then fix bugs like the one described here. On the issue at handConfirmed the behavior. Can be reproduced with: ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://webui.ipfs.io"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]' Preflight without $ curl -v -X OPTIONS -H "access-control-request-method: POST" -H "origin: https://webui.ipfs.io" http://127.0.0.1:5001/api/v0/id
> OPTIONS /api/v0/id HTTP/1.1
> Host: 127.0.0.1:5001
> User-Agent: curl/7.79.1
> Accept: */*
> access-control-request-method: POST
> origin: https://webui.ipfs.io
< HTTP/1.1 200 OK
< Access-Control-Allow-Methods: POST
< Access-Control-Allow-Origin: https://webui.ipfs.io
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Date: Fri, 04 Feb 2022 14:01:45 GMT
< Content-Length: 0 Preflight with curl -v -X OPTIONS -H "access-control-request-method: POST" -H "access-control-request-headers: x-stream-output" -H "origin: https://webui.ipfs.io" http://127.0.0.1:5001/api/v0/id
> OPTIONS /api/v0/id HTTP/1.1
> Host: 127.0.0.1:5001
> User-Agent: curl/7.79.1
> Accept: */*
> access-control-request-method: POST
> access-control-request-headers: x-stream-output
> origin: https://webui.ipfs.io
< HTTP/1.1 200 OK
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Date: Fri, 04 Feb 2022 13:58:28 GMT
< Content-Length: 0 |
Should be resolved with next release of |
@lidel : is there any more work that needs to be done here now that ipfs/go-ipfs-cmds#222 has been merged? |
At the very least, someone needs to add sharness tests to see what is the current behavior. There is some prior art in comments at #8718 (review), but these tests are for Given our effort to:
..this is fairly low priority, should stay in "best effort" track |
Version information:
go-ipfs 0.6.x
Description:
While implementing ipfs/js-ipfs#3275 I checked go-ipfs behaviour around preflight requests and I'm not sure it's implemented correctly.
Preflight requests are not issued for every fetch, one way to cause one to occur is to specify a non-default header value.
I've put a quick demo app together here: https://github.com/achingbrain/ipfs-cors-preflight-test
It tries to send an
X-Stream-Output: *
header along with every request which should be allowed as it's returned in theAccess-Control-Allow-Headers
list along with successful responses.Running the test in the repo above against go-ipfs prints this error in the console:
See the readme of the linked repo above for the correct headers that should be returned in order for the preflight request to succeed.
cc @lidel
The text was updated successfully, but these errors were encountered: