From 10c4bee0f9bfe913da5966fa50d1643ef51b6985 Mon Sep 17 00:00:00 2001 From: "opentdf-automation[bot]" <149537512+opentdf-automation[bot]@users.noreply.github.com> Date: Thu, 13 Nov 2025 17:30:06 +0000 Subject: [PATCH] fix(core): add obligations X-Rewrap-Additional-Context to default CORS allowed headers (#2901) ### Proposed Changes * This header is required for obligations and should be defaulted. * Updates all example yamls with full list of default allowed headers. * DSPX-1938 (cherry picked from commit d86868d6edb9d87e7c22c552e07dd218db98bc8d) --- opentdf-core-mode.yaml | 7 ++++++- opentdf-dev.yaml | 8 ++++++-- opentdf-ers-mode.yaml | 8 ++++++-- opentdf-example.yaml | 8 ++++++-- opentdf-kas-mode.yaml | 8 ++++++-- service/internal/server/server.go | 2 +- service/pkg/server/testdata/all-no-config.yaml | 8 ++++++-- 7 files changed, 37 insertions(+), 12 deletions(-) diff --git a/opentdf-core-mode.yaml b/opentdf-core-mode.yaml index 037b53494a..1ed7897a57 100644 --- a/opentdf-core-mode.yaml +++ b/opentdf-core-mode.yaml @@ -38,11 +38,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml index 2287f46634..4712457bbb 100644 --- a/opentdf-dev.yaml +++ b/opentdf-dev.yaml @@ -134,12 +134,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token - - X-Request-ID + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link diff --git a/opentdf-ers-mode.yaml b/opentdf-ers-mode.yaml index a396b963a8..fce2e93961 100644 --- a/opentdf-ers-mode.yaml +++ b/opentdf-ers-mode.yaml @@ -75,12 +75,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token - - X-Request-ID + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link diff --git a/opentdf-example.yaml b/opentdf-example.yaml index c110295121..a0b97da826 100644 --- a/opentdf-example.yaml +++ b/opentdf-example.yaml @@ -92,12 +92,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token - - X-Request-ID + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link diff --git a/opentdf-kas-mode.yaml b/opentdf-kas-mode.yaml index cbfaee1f06..b6431b297e 100644 --- a/opentdf-kas-mode.yaml +++ b/opentdf-kas-mode.yaml @@ -88,12 +88,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token - - X-Request-ID + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link diff --git a/service/internal/server/server.go b/service/internal/server/server.go index c38bd16846..5a82391da2 100644 --- a/service/internal/server/server.go +++ b/service/internal/server/server.go @@ -124,7 +124,7 @@ type CORSConfig struct { Enabled bool `mapstructure:"enabled" json:"enabled" default:"true"` AllowedOrigins []string `mapstructure:"allowedorigins" json:"allowedorigins"` AllowedMethods []string `mapstructure:"allowedmethods" json:"allowedmethods" default:"[\"GET\",\"POST\",\"PATCH\",\"DELETE\",\"OPTIONS\"]"` - AllowedHeaders []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Content-Type\",\"Content-Length\",\"Accept-Encoding\",\"X-CSRF-Token\",\"Authorization\",\"X-Requested-With\",\"Dpop\",\"Connect-Protocol-Version\"]"` + AllowedHeaders []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Accept-Encoding\",\"Authorization\",\"Connect-Protocol-Version\",\"Content-Length\",\"Content-Type\",\"Dpop\",\"X-CSRF-Token\",\"X-Requested-With\",\"X-Rewrap-Additional-Context\"]"` ExposedHeaders []string `mapstructure:"exposedheaders" json:"exposedheaders"` AllowCredentials bool `mapstructure:"allowcredentials" json:"allowcredentials" default:"true"` MaxAge int `mapstructure:"maxage" json:"maxage" default:"3600"` diff --git a/service/pkg/server/testdata/all-no-config.yaml b/service/pkg/server/testdata/all-no-config.yaml index 2970a6fa00..cdb3592cb6 100644 --- a/service/pkg/server/testdata/all-no-config.yaml +++ b/service/pkg/server/testdata/all-no-config.yaml @@ -81,12 +81,16 @@ server: - OPTIONS # List of headers that are allowed in a request allowedheaders: - - ACCEPT + - Accept + - Accept-Encoding - Authorization - Connect-Protocol-Version + - Content-Length - Content-Type + - Dpop - X-CSRF-Token - - X-Request-ID + - X-Requested-With + - X-Rewrap-Additional-Context # List of response headers that browsers are allowed to access exposedheaders: - Link