api-manager icon indicating copy to clipboard operation
api-manager copied to clipboard
verified publisher icon wso2

CORS Configurations: Access Control Allow Methods Not Working Properly

Open SavinduDimal opened this issue 1 year ago • 2 comments

Description

Even though a http method is removed from the Access Control Allowed Methods list for an API from the publisher portal, that method can be successfully invoked from the developer portal.

It was observed Access-Control-Allow-Methods: header is empty for the following request.

curl 'https://localhost:8244/t/wso2.com/pizzashack/1.0.0/menu' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: abc,authorization' -H 'Referer: https://localhost:9444/' -H 'Origin: https://localhost:9444' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-site'

HTTP/1.1 200 OK
Origin: https://localhost:9444
Accept: */*
Access-Control-Allow-Origin: https://localhost:9444
Access-Control-Allow-Methods: 
Referer: https://localhost:9444/
Sec-Fetch-Dest: empty
Sec-Fetch-Site: same-site
Host: localhost:8244
Accept-Encoding: gzip, deflate, br
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,apikey,Internal-Key,abc,Authorization,ApiKey
Sec-Fetch-Mode: cors
activityid: fca119fa-5245-4598-8305-a41d633f6028
Access-Control-Expose-Headers: 
Access-Control-Request-Method: GET
Access-Control-Request-Headers: abc,authorization
Accept-Language: en-US,en;q=0.5
Date: Mon, 01 Apr 2024 06:36:36 GMT
Transfer-Encoding: chunked
Connection: keep-alive

Steps to Reproduce

  1. Deploy the sample API from publisher portal
  2. Enable CORS configuration for the API from Runtime Configurations
  3. Remove GET from Access Control Allowed Methods
  4. Save and deploy the API
  5. Login to Developer portal and invoke an API resource with GET method

Affected Component

APIM

Version

4.3.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

SavinduDimal avatar Apr 01 '24 06:04 SavinduDimal

Please note that this can be reproduced in APIM 4.2.0, 4.1.0, 4.0.0 and 3.2.0 packs as well.

SavinduDimal avatar Apr 01 '24 07:04 SavinduDimal

Please note that this can be reproduced in APIM 4.4.0 packs as well.

Imen-Frigui avatar May 06 '25 10:05 Imen-Frigui