-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS Preflight Fails for API Calls #16100
Comments
This issue occurs for me in every commit since the middleware switchover (6433ba0). For what it's worth, the old CORS middleware would just reflect the Access-Control-Allow-Header field, while the new one requires a whitelist to be given. |
Looking at: Lines 564 to 573 in cbf3083
It appears that we're not setting the AllowHeaders or ExposedHeaders options. Whilst we could make these user definable - I suspect that that is incorrect - so we need to go through the API and work out which headers needs to be settable by and exposed to the user. |
OK so most of the time we explicitly set the correct Access-Control-Expose-Headers - but the Access-Control-Allow-Headers thing needs to be set. |
@drewmnoel having just fixed #16350 where I noted that the issue was the lack of routes using the OPTIONS method and looking again at your opening comment I see that you're also explicitly mentioning OPTIONS. We don't currently support OPTIONS on our API routes which would explain why these are failing and our Swagger API doesn't even suggest that we do support OPTIONS. So - I think we need some explanation as to why and what you're using OPTIONS for. |
ah now I see... |
This is going to require a lot of work |
Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix go-gitea#16100 Signed-off-by: Andrew Thornton <art27@cantab.net>
Backport go-gitea#16524 Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix go-gitea#16100 Signed-off-by: Andrew Thornton <art27@cantab.net>
Set AllowedHeaders on API CORS handler and add missing Access-Control-Expose-Headers to pull API. Fix #16100 Signed-off-by: Andrew Thornton <art27@cantab.net>
TAGS="bindata sqlite sqlite_unlock_notify" make build
[x]
):app.ini
)Description
When accessing the API with JavaScript and an OAuth token, a CORS preflight is triggered due to the precense of the
Authorization:
header. The CORS middleware denies the preflight, returning only theVary:
header, rather than the expected set ofAccess-Control-Allow-
. An example request (note: organization and repo do not need to exist):It appears that gitea may not be informing the CORS middleware of the "Authorization" header for API calls:
gitea/routers/api/v1/api.go
Lines 564 to 573 in cbf3083
If this call is updated to include
Debug: true
, the middleware will print to standard output when it runs, which shows that the authorization header is not permitted:The text was updated successfully, but these errors were encountered: