Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All OPTIONS requests with origins are treated as CORS preflight requests #21181

Closed
ThisIsMissEm opened this issue Nov 3, 2021 · 2 comments
Closed

All OPTIONS requests with origins are treated as CORS preflight requests #21181

ThisIsMissEm opened this issue Nov 3, 2021 · 2 comments
Labels
area/security area/vertx kind/bug Something isn't working
Milestone
2.5.0.CR1

Comments

@ThisIsMissEm
Copy link
Contributor

Describe the bug

Currently if you have a Quarkus server running with the CORS filter enabled, the http server incorrectly assumes that all OPTIONS requests that have an origin header set are CORS preflight request.

Relevant Settings:

quarkus.http.cors=true
quarkus.http.cors.origins=*
quarkus.http.cors.methods=POST,GET,PUT,OPTIONS,DELETE

I believe this is because the CORS filter doesn't actually check that the request is a preflight request, it just checks for the presence of the origin header: https://github.com/quarkusio/quarkus/blob/main/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java#L136-L137

Based on the information on MDN about preflight requests, it looks like the filter should also be testing for the presence of a Access-Control-Request-Method header and/or a Access-Control-Request-Headers header.

Expected behavior

OPTIONS requests that aren't preflight requests, but have an Origin header should be handled by the application, not returning early due to the filter. Requests that are preflight requests should be handled by the filter

Actual behavior

All OPTIONS requests with an Origin header are handled as if they are preflight requests, application code does not get invoked.

How to Reproduce?

I'm currently trying to work on test cases for showing the behaviour (as well as potentially a fix), however, I'm not that experienced with java.

Output of uname -a or ver

Darwin MBP 19.6.0 Darwin Kernel Version 19.6.0: Tue Oct 12 18:34:05 PDT 2021; root:xnu-6153.141.43~1/RELEASE_X86_64 x86_64

Output of java -version

openjdk version "17.0.1" 2021-10-19 OpenJDK Runtime Environment GraalVM CE 21.3.0 (build 17.0.1+12-jvmci-21.3-b05) OpenJDK 64-Bit Server VM GraalVM CE 21.3.0 (build 17.0.1+12-jvmci-21.3-b05, mixed mode, sharing)

GraalVM version (if different from Java)

17

Quarkus version or git rev

main

Build tool (ie. output of mvnw --version or gradlew --version)

mvnw

Additional information

No response
@ThisIsMissEm ThisIsMissEm added the kind/bug Something isn't working label Nov 3, 2021
@ThisIsMissEm
Copy link
Contributor Author

I think I'm off with the vertx reference above, but the behaviour is still acting as described

@ThisIsMissEm ThisIsMissEm mentioned this issue Nov 4, 2021
Merged
@stuartwdouglas
Copy link
Member

Fixed by #21198

@stuartwdouglas stuartwdouglas added this to the 2.5 - main milestone Nov 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security area/vertx kind/bug Something isn't working
Projects
None yet
Milestone
2.5.0.CR1
Development

No branches or pull requests
4 participants
@ThisIsMissEm @stuartwdouglas @sberyozkin @geoand