Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preflighted CORS on API is broken #3355

Closed
Kubuxu opened this issue Nov 4, 2016 · 5 comments
Closed

Preflighted CORS on API is broken #3355

Kubuxu opened this issue Nov 4, 2016 · 5 comments
Labels
need_tests status/deferred Conscious decision to pause or backlog topic/api Topic api topic/CORS Issues related to CORS on HTTP endpoints topic/rpc-api Issues related to Kubo RPC API at /api/v0

Comments

@Kubuxu
Copy link
Member

Kubuxu commented Nov 4, 2016
edited
Loading

API does not return required headers for CORS request,
I think it is regression as I remember working on this issue in the past.

Unfortunately we don't have tests for it right now.

Example OPTION request on the API:

  curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
  localhost:5001/api/v0/version
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5001 (#0)
> OPTIONS /api/v0/version HTTP/1.1
> Host: localhost:5001
> User-Agent: curl/7.50.3
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
> 
< HTTP/1.1 200 OK
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Date: Fri, 04 Nov 2016 10:50:58 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
< 
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

You can see that the response does not contain CORS headers, it should include: Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Header (Vary doesn't count).

My config says:

 "API": {
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With"
      ],
      "Access-Control-Allow-Methods": [
        "PUT",
        "GET",
        "POST"
      ],
      "Access-Control-Allow-Origin": [
        "*"
      ]
    }
  },
@dignifiedquire
Copy link
Member

I got them to work in chrome with the following config

'HTTPHeaders.Access-Control-Allow-Origin': ['*'],
'HTTPHeaders.Access-Control-Allow-Credentials': 'true',
'HTTPHeaders.Access-Control-Allow-Methods': ['PUT', 'POST', 'GET']

@Kubuxu
Copy link
Member Author

Kubuxu commented Nov 4, 2016

Ok, I will test few things out later, and write tests for it.

@Kubuxu Kubuxu self-assigned this Nov 4, 2016
@Kubuxu Kubuxu added status/ready Ready to be worked status/deferred Conscious decision to pause or backlog and removed status/ready Ready to be worked labels Nov 28, 2016
@Kubuxu Kubuxu removed their assignment Nov 28, 2016
@whyrusleeping
Copy link
Member

@Kubuxu @dignifiedquire is this still an issue?

@Kubuxu Kubuxu self-assigned this Sep 3, 2017
@daviddias daviddias added the topic/rpc-api Issues related to Kubo RPC API at /api/v0 label Oct 8, 2019
@lidel lidel added the topic/CORS Issues related to CORS on HTTP endpoints label Jun 13, 2020
@michel47
Copy link

API CORS seems to be still broken ... as it doesn't return a Access-Control-Request-Headers on the OPTIONS pre-flight

see example : https://gateway.ipfs.io/ipfs/QmZ3wTVb7WeZZAk8g7pczprZcjqswBxhr7GrCNdPna8jac/posting.html

@hacdias
Copy link
Member

hacdias commented Aug 21, 2023
edited
Loading

This issue seems to have been solved. Using the config from the first comment, we get:

$ curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
  localhost:5001/api/v0/version
*   Trying 127.0.0.1:5001...
* Connected to localhost (127.0.0.1) port 5001 (#0)
> OPTIONS /api/v0/version HTTP/1.1
> Host: localhost:5001
> User-Agent: curl/7.88.1
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Headers: X-Requested-With
< Access-Control-Allow-Methods: POST
< Access-Control-Allow-Origin: *
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Date: Mon, 21 Aug 2023 07:49:27 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact

You can also find sharness tests in https://github.com/ipfs/kubo/blob/master/test/sharness/t0401-api-browser-security.sh.

@hacdias hacdias closed this as completed Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need_tests status/deferred Conscious decision to pause or backlog topic/api Topic api topic/CORS Issues related to CORS on HTTP endpoints topic/rpc-api Issues related to Kubo RPC API at /api/v0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lidel @dignifiedquire @daviddias @whyrusleeping @Kubuxu @hacdias @michel47