-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gateway: fix CORs headers #5893
Conversation
License: MIT Signed-off-by: Steven Allen <[email protected]>
fixes #5138 -- always add user-agent to access-control-allow-headers. fixes #5888 -- same with content-type. fixes #5892 -- extend user-provided headers instead of overriding them. License: MIT Signed-off-by: Steven Allen <[email protected]>
License: MIT Signed-off-by: Steven Allen <[email protected]>
License: MIT Signed-off-by: Steven Allen <[email protected]>
ad6373e
to
b15cf01
Compare
c.Headers[h] = v | ||
h = http.CanonicalHeaderKey(h) | ||
switch h { | ||
case cmdsHttp.ACAOrigin, cmdsHttp.ACAMethods, cmdsHttp.ACACredentials: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already skip these in the commands lib so this probably isn't necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While we are fixing CORS, it may be worth addressing a nuance related to #5138, #5892 and ipfs/in-web-browsers#132 (comment):
Access-Control-Allow-Headers
is relevant only duringOPTIONS
request, can be skipped in other response typesAccess-Control-Expose-Headers
is relevant only during non-OPTIONS
request (GET
,POST
etc), and can be skipped inOPTIONS
response
Right now we return them for every request type which is really confusing and suggests brute-force approach to CORS. Would be nice to address this in default config and remove noise of irrelevant headers (test suggestions below)
grep "Access-Control-Allow-Headers:" curl_output | ||
grep "< Access-Control-Allow-Origin: \*" curl_output && | ||
grep "< Access-Control-Allow-Methods: GET" curl_output && | ||
grep "< Access-Control-Allow-Headers: Range" curl_output && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Access-Control-Allow-Headers
is relevant only during OPTIONS
request, should not be returned with GET
response:
grep "< Access-Control-Allow-Headers: Range" curl_output && | |
grep -vL "< Access-Control-Allow-Headers" curl_output && |
Rationale: ipfs/in-web-browsers#132 (comment)
grep "< Access-Control-Allow-Origin: \*" curl_output && | ||
grep "< Access-Control-Allow-Methods: GET" curl_output && | ||
grep "< Access-Control-Allow-Headers: Range" curl_output && | ||
grep "< Access-Control-Expose-Headers: Content-Range" curl_output |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Access-Control-Expose-Headers
is relevant only during non-OPTIONS
request (GET
, PUT
etc), and should not be returned with OPTIONS
response:
grep "< Access-Control-Expose-Headers: Content-Range" curl_output | |
grep -vL "< Access-Control-Expose-Headers" curl_output |
Rationale: ipfs/in-web-browsers#132 (comment)
We should fix this but it may require a bit of refactoring to get it right (beyond the scope of this PR). |
@Stebalien is it the right time to ask that the IPFS config.json gets organized by system rather than a mix of everything. By this I mean, have a
This would be a great improvement to create easy to parse tutorials. Right now we see things such as:
Which raises questions such as "Why does the Gateway need CORS headers, it only receives GET requests?", "What is a Writable Gateway?" and more. |
@daviddias I feel I miss some context here: what exactly feels to you like mixing concerns? My understanding is that we already have separate namespaces for
CORS on Gateway is useful for API subset exposed there. Websites are able to read data via cross-origin XHR to https://ipfs.io/api/v0/dns/ipfs.io?r=true and AFAIK that is why our public Gateway at ipfs.io returns |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks OK for me (knowing it doesn't fix everything, it does improve some things).
@daviddias, @lidel is correct but I do agree that the config could use a bit of a reorg with 20-20 hindsight (same as the commands). However, that would be a massively breaking change. Let's reconsider this when we reorganize the API/commands. When we do that, we can insert a config translation layer such that |
gateway: fix CORs headers This commit was moved from ipfs/kubo@42a15ba
user-agent
to default list ofAccess-Control-Allow-Headers
#5138 -- always add user-agent to access-control-allow-headers.TODO: