dependency-track
dependency-track copied to clipboard
DependencyTrack
CORS error when navigating to components functionality with CORS Disabled??? (Docker-compose installation with default docker-compose.yml)
Dear,
we recently started with the installation of dependencytrack with the use of docker and docker compose I noticed that cors is default enabled on the components functionality. Even do we did not explicitly set cors with any environment setting.
I configured the docker compose file with the default information from the website only adjusted the API_BASE_URL=http://bcco-sca01.domain.local:8081 on the front end part
IF i navigate to the components page i get an cors error
Access to XMLHttpRequest at 'http://bcco-sca01.domain.local:8081/api/v1/component/identity?sortOrder=asc&pageSize=10&pageNumber=1' from origin 'http://bcco-sca01.domain.local:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Request URL: http://bcco-sca01.domain.local:8081/api/v1/component/identity?sortOrder=asc&pageSize=10&pageNumber=1 Referrer Policy: strict-origin-when-cross-origin Connection: close Accept: application/json, text/javascript, /; q=0.01 Accept-Encoding: gzip, deflate Accept-Language: nl-BE,nl-NL;q=0.9,nl;q=0.8,en-US;q=0.7,en;q=0.6,fr;q=0.5,de;q=0.4 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6IkRlcGVuZGVuY3ktVHJhY2siLCJpYXQiOjE2MTY2NTk4OTMsImV4cCI6MTYxNzI2NDY5MywicGVybWlzc2lvbnMiOiJBQ0NFU1NfTUFOQUdFTUVOVCxCT01fVVBMT0FELFBPTElDWV9NQU5BR0VNRU5ULFBPTElDWV9WSU9MQVRJT05fQU5BTFlTSVMsUE9SVEZPTElPX01BTkFHRU1FTlQsUFJPSkVDVF9DUkVBVElPTl9VUExPQUQsU1lTVEVNX0NPTkZJR1VSQVRJT04sVklFV19QT1JURk9MSU8sVlVMTkVSQUJJTElUWV9BTkFMWVNJUyxBQ0NFU1NfTUFOQUdFTUVOVCxCT01fVVBMT0FELFBPTElDWV9NQU5BR0VNRU5ULFBPTElDWV9WSU9MQVRJT05fQU5BTFlTSVMsUE9SVEZPTElPX01BTkFHRU1FTlQsUFJPSkVDVF9DUkVBVElPTl9VUExPQUQsU1lTVEVNX0NPTkZJR1VSQVRJT04sVklFV19QT1JURk9MSU8sVlVMTkVSQUJJTElUWV9BTkFMWVNJUyIsImlkcCI6IkxPQ0FMIn0.T1u_Wamn4ELd-jiH7JfS5rC1RoQxBBIs1QElT6NOOOo Connection: keep-alive Content-Type: application/json Host: bcco-sca01.domain.local:8081 Origin: http://bcco-sca01.domain.local:8080 Referer: http://bcco-sca01.domain.local:8080/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 sortOrder: asc pageSize: 10 pageNumber: 1
Could you please check if this is default behaviour or bug Kind regards, Ben
Have you configured CORS? See https://docs.dependencytrack.org/getting-started/configuration/
Hi steve:
No didn't setup cors specific i used de example docker compose from the documentation and adjusted the api url for the frontend to the exposed public url
Actually it seems that the functionality is working : i can lookup components on the components tab on their coordinates etc but the first navigation always give me cors error all the rest is not giving any cors error
i also played around with setting the cors env in the docker compose with a correct and incorrect allow origin ALPINE_CORS_ALLOW_ORIGIN
and this resulted in correct behaviour
so it seems that even with cors not applied it's trowing a cors error on first load of this page
i both set up a on prem environment ubuntu 18.4 and a azure ubuntu 18.4 to check if it was related to environment(network) but it resulted in the same behaviour.
Thnx for the quick response
Grtz, Ben Verlinden
So you can actualy reproduce this setup with setting up unix machine (ubuntu) on azure and install docker and docker compose. create docker compose with info of documentation and adjust the api configuration of the frontend with the http://.. .. .. .. :8081
I do not use Azure. But it works if I follow the instructions from the documentation by performing:
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up -d
If accessing from a host other than localhost, then you'll need to modify API_BASE_URL in docker-compose.yml prior to starting the container.
If that doesn't work for whatever reason, you might want to check the Slack channel as I know there are many people running DT on Azure.
Have you configured CORS? See https://docs.dependencytrack.org/getting-started/configuration/
Based on the problem as stated, they should have the default CORS config, which is enabled, but wide open. I'm surprised it would give them an error if that's the case.
I experience something similar with the standard setup, CORS enabled and also with an additional reverse proxy as I initially suspected the port to be the issue.
The issue only occurs when attempting to upload a BOM in my Chromium browser, Firefox works well. I suspect it's related to the Referrer Policy header showing up in Chromium with strict-origin-when-cross-origin and it seems as if the request is suppressed by the browser before actually being sent to any server.
Edit: Upon closer inspection the form payload looks broken (missing the actual file contents), but the issue is still a bit unclear to me. Used images dependencytrack/frontend:4.8.1 are dependencytrack/apiserver:4.8.2.
this issue was fixed by adding more memory to container 2CPU and 8GB of memory. [dependency track Reason: CORS header ‘Access-Control-Allow-Origin’ missing](login:1 Access to XMLHttpRequest at 'https://dtrack-api.xxxx.xx/api/v1/user/login' from origin 'https://dtrack.xxxx.xx' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.):
