From 2686f7df9e4de61366d5280714e5045fd450c355 Mon Sep 17 00:00:00 2001
From: tzssangglass <tzssangglass@gmail.com>
Date: Thu, 14 Apr 2022 12:12:58 +0800
Subject: [PATCH] fix(grpc-web): don't override Access-Control-Allow-Origin
 header in response

Closes #6834
---
 apisix/plugins/grpc-web.lua |  5 +++-
 t/plugin/grpc-web.t         | 55 +++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/apisix/plugins/grpc-web.lua b/apisix/plugins/grpc-web.lua
index 502b528689eb..18465063b343 100644
--- a/apisix/plugins/grpc-web.lua
+++ b/apisix/plugins/grpc-web.lua
@@ -125,7 +125,10 @@ function _M.header_filter(conf, ctx)
         core.response.set_header("Access-Control-Allow-Methods", DEFAULT_CORS_ALLOW_METHODS)
         core.response.set_header("Access-Control-Allow-Headers", DEFAULT_CORS_ALLOW_HEADERS)
     end
-    core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
+
+    if not ctx.cors_allow_origins then
+        core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
+    end
     core.response.set_header("Content-Type", ctx.grpc_web_mime)
 end
 
diff --git a/t/plugin/grpc-web.t b/t/plugin/grpc-web.t
index 187031661321..4342dd1b0be6 100644
--- a/t/plugin/grpc-web.t
+++ b/t/plugin/grpc-web.t
@@ -176,3 +176,58 @@ Access-Control-Allow-Origin: *
 Content-Type: application/grpc-web
 --- error_log
 routing configuration error, grpc-web plugin only supports `prefix matching` pattern routing
+
+
+
+=== TEST 9: set route (with cors plugin)
+--- config
+    location /t {
+        content_by_lua_block {
+            local config = {
+                uri = "/grpc/web/*",
+                upstream = {
+                    scheme = "grpc",
+                    type = "roundrobin",
+                    nodes = {
+                        ["127.0.0.1:50001"] = 1
+                    }
+                },
+                plugins = {
+                    ["grpc-web"] = {},
+                    cors = {
+                        allow_origins = "http://test.com",
+                        allow_methods = "POST,OPTIONS",
+                        allow_headers = "application/grpc-web",
+                        expose_headers = "application/grpc-web",
+                        max_age = 5,
+                        allow_credential = true
+                    }
+                }
+            }
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, config)
+
+            if code >= 300 then
+                ngx.status = code
+                ngx.say(body)
+                return
+            end
+
+            ngx.say(body)
+        }
+    }
+--- response_body
+passed
+
+
+
+=== TEST 10: don't override Access-Control-Allow-Origin header in response
+--- request
+POST /grpc/web/a6.RouteService/GetRoute
+{}
+--- more_headers
+Origin: http://test.com
+Content-Type: application/grpc-web
+--- response_headers
+Access-Control-Allow-Origin: http://test.com
+Content-Type: application/grpc-web