fix(grpc-web): don't override Access-Control-Allow-Origin header in r…

…esponse (apache#6842)
Liu-Junlin · May 20, 2022 · cda9f4e · cda9f4e
1 parent 498ae61
commit cda9f4e
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 1 deletion.
diff --git a/apisix/plugins/grpc-web.lua b/apisix/plugins/grpc-web.lua
@@ -125,7 +125,10 @@ function _M.header_filter(conf, ctx)
         core.response.set_header("Access-Control-Allow-Methods", DEFAULT_CORS_ALLOW_METHODS)
         core.response.set_header("Access-Control-Allow-Headers", DEFAULT_CORS_ALLOW_HEADERS)
     end
-    core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
+
+    if not ctx.cors_allow_origins then
+        core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
+    end
     core.response.set_header("Content-Type", ctx.grpc_web_mime)
 end
 

diff --git a/t/plugin/grpc-web.t b/t/plugin/grpc-web.t
@@ -176,3 +176,58 @@ Access-Control-Allow-Origin: *
 Content-Type: application/grpc-web
 --- error_log
 routing configuration error, grpc-web plugin only supports `prefix matching` pattern routing
+
+
+
+=== TEST 9: set route (with cors plugin)
+--- config
+    location /t {
+        content_by_lua_block {
+            local config = {
+                uri = "/grpc/web/*",
+                upstream = {
+                    scheme = "grpc",
+                    type = "roundrobin",
+                    nodes = {
+                        ["127.0.0.1:50001"] = 1
+                    }
+                },
+                plugins = {
+                    ["grpc-web"] = {},
+                    cors = {
+                        allow_origins = "http://test.com",
+                        allow_methods = "POST,OPTIONS",
+                        allow_headers = "application/grpc-web",
+                        expose_headers = "application/grpc-web",
+                        max_age = 5,
+                        allow_credential = true
+                    }
+                }
+            }
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, config)
+
+            if code >= 300 then
+                ngx.status = code
+                ngx.say(body)
+                return
+            end
+
+            ngx.say(body)
+        }
+    }
+--- response_body
+passed
+
+
+
+=== TEST 10: don't override Access-Control-Allow-Origin header in response
+--- request
+POST /grpc/web/a6.RouteService/GetRoute
+{}
+--- more_headers
+Origin: http://test.com
+Content-Type: application/grpc-web
+--- response_headers
+Access-Control-Allow-Origin: http://test.com
+Content-Type: application/grpc-web