akka-http-cors icon indicating copy to clipboard operation
akka-http-cors copied to clipboard

Published 20 hours ago verified publisher icon lomigmegard

Cors headers does not seem to get sent out

Open rleinfellner opened this issue 3 years ago • 1 comments

I am not sure what I am doing wrong

using akka-http-cors 1.1.2 in a scala web project with

val route: Route = extractUri { uri => handleExceptions(myExceptionHandler) { handleRejections(myRejectionHandler) { cors() { get { pathPrefix(defaultStaticReactEndpoint) { extractMatchedPath { matched => log.info("From Static {} URI:{}", matched, uri) getFromDirectory(defaultWebsiteStatic) } } } } } } }

This runs on a server say test.site1.com and its content is being cross site referenced from another domain site2.com, both are https://

In config I have

allowed-origins = "https://*.site1.com"

site2 just contains some html to do a cross site access

site2.org

This works fine & serves the image from test.site1.com via site2.com

However when I change

allowed-origins = "https://*.BADsite1.com"

despite the site no no longer being whitelisted it still works and serves the image

I also noticed that the headers for the site 2 access have no-cors set despite being flagged as cross site, so it looks like the wrapper is not sending Access-Control-Allow-Origin: https://*.site1.com in the header

Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site

I was under the impression the cors {} wrapper added the required headers to enforce cors

Also when I add allow-generic-http-requests = no it now fails for all requests, which I suspect is due to chrome not realising is supposed to send Origin

I checked this by adding optionalHeaderValueByType(Origin) { origin => }

and for all requests its None

I'd like to use cors to lock down cross site access to named sites, and right now its seems to either allow everything or forbid it

Help would be gratefully appriciated

_____Full headers

Request

Request URL: https://test.site1.com/static/media/landt.56f7a83a.png Request Method: GET Status Code: 200 OK Remote Address: 127.0.0.1:443 Referrer Policy: strict-origin-when-cross-origin

Response

Accept-Ranges: bytes Content-Length: 17398 Content-Type: image/png Date: Tue, 04 Jan 2022 12:49:24 GMT ETag: "6fc2017dde802faf" Last-Modified: Tue, 21 Dec 2021 19:38:02 GMT Server: akka-http/10.2.7

Request GET /static/media/landt.56f7a83a.png HTTP/1.1 Host: test2.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96" DNT: 1 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 sec-ch-ua-platform: "macOS" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://test2.com Accept-Encoding: gzip, deflate, br Accept-Language: en,en-GB;q=0.9

rleinfellner avatar Jan 04 '22 13:01 rleinfellner

Having the same issue with Java

klammal avatar Mar 17 '22 12:03 klammal