gloo
gloo copied to clipboard
Published
20 hours ago •
solo-io
solo-io
HTTP OPTIONS fails to honor disallowed origins for CORS doc example
Describe the bug A user asked for a more complete working example of the Gloo Edge CORS doc here. It appears that CORS is failing to block disallowed origins, based on that example.
To Reproduce
- Unzip attached cors-vs.yaml.gz
-
kubectl apply -f cors-vs.yaml - See the static upstream
httpbin-usand the VScorsexamplebased on the linked doc, which routes to thehttpbin-usupstream. - Use curl to issue OPTIONS request against the VS endpoint with an acceptable Origin. That works as expected.
% curl -X OPTIONS -H "Host: cors.solo.io" -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: Content-Type, Accept' -H 'Origin: https://solo.io' $(glooctl proxy url)/get --verbose
* Trying 34.138.145.188...
* TCP_NODELAY set
* Connected to 34.138.145.188 (34.138.145.188) port 80 (#0)
> OPTIONS /get HTTP/1.1
> Host: cors.solo.io
> User-Agent: curl/7.64.1
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: Content-Type, Accept
> Origin: https://solo.io
>
< HTTP/1.1 200 OK
< access-control-allow-origin: https://solo.io
< access-control-allow-credentials: true
< access-control-allow-methods: GET,POST
< access-control-allow-headers: origin
< access-control-max-age: 1d
< access-control-expose-headers: origin
< date: Fri, 03 Dec 2021 21:53:56 GMT
< server: envoy
< content-length: 0
<
* Connection #0 to host 34.138.145.188 left intact
* Closing connection 0
- Use curl to issue OPTIONS request against the VS endpoint with an unacceptable Origin. The response is an HTTP 200 with
access-control-allow-origin: https://example.com. But it should return a failure code since the specified Origin (http://example.com) is not accepted by the cors: stanza. Note that theaccess-control-allow-methodslist is wrong as well, since it contains many methods not allowed by the VS.
% curl -X OPTIONS -H "Host: cors.solo.io" -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: Content-Type, Accept' -H 'Origin: https://example.com' $(glooctl proxy url)/get --verbose
* Trying 34.138.145.188...
* TCP_NODELAY set
* Connected to 34.138.145.188 (34.138.145.188) port 80 (#0)
> OPTIONS /get HTTP/1.1
> Host: cors.solo.io
> User-Agent: curl/7.64.1
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: Content-Type, Accept
> Origin: https://example.com
>
< HTTP/1.1 200 OK
< date: Fri, 03 Dec 2021 21:54:44 GMT
< content-type: text/html; charset=utf-8
< content-length: 0
< server: envoy
< allow: HEAD, OPTIONS, GET
< access-control-allow-origin: https://example.com
< access-control-allow-credentials: true
< access-control-allow-methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
< access-control-max-age: 3600
< access-control-allow-headers: Content-Type, Accept
< x-envoy-upstream-service-time: 38
<
* Connection #0 to host 34.138.145.188 left intact
* Closing connection 0
Expected behavior The response from the second OPTIONS request should indicate that the request would fail.
Additional context
- Replaces #5657
- Gloo Edge version
% glooctl version
Client: {"version":"1.9.0"}
Server: {"type":"Gateway","enterprise":true,"kubernetes":{"containers":[{"Tag":"1.9.0","Name":"discovery","Registry":"quay.io/solo-io"},{"Tag":"1.9.1","Name":"extauth-ee","Registry":"quay.io/solo-io"},{"Tag":"1.9.0","Name":"gateway","Registry":"quay.io/solo-io"},{"Tag":"1.9.1","Name":"gloo-ee-envoy-wrapper","Registry":"quay.io/solo-io"},{"Tag":"1.9.1","Name":"gloo-ee","Registry":"quay.io/solo-io"},{"Tag":"1.9.1","Name":"observability-ee","Registry":"quay.io/solo-io"},{"Tag":"1.9.1","Name":"rate-limit-ee","Registry":"quay.io/solo-io"},{"Tag":"6.2.4","Name":"redis","Registry":"docker.io"}],"namespace":"gloo-system"}}
