Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cors headers does not seem to get sent out #204

Open
rleinfellner opened this issue Jan 4, 2022 · 1 comment
Open

Cors headers does not seem to get sent out #204

rleinfellner opened this issue Jan 4, 2022 · 1 comment

Comments

@rleinfellner
Copy link

I am not sure what I am doing wrong

using akka-http-cors 1.1.2 in a scala web project with

val route: Route =
extractUri { uri =>
handleExceptions(myExceptionHandler) {
handleRejections(myRejectionHandler) {
cors() {
get {
pathPrefix(defaultStaticReactEndpoint) {
extractMatchedPath { matched =>
log.info("From Static {} URI:{}", matched, uri)
getFromDirectory(defaultWebsiteStatic)
}
}
}
}
}
}
}

This runs on a server say test.site1.com and its content is being cross site referenced from another domain site2.com, both are https://

In config I have

allowed-origins = "https://*.site1.com"

site2 just contains some html to do a cross site access

site2.org

This works fine & serves the image from test.site1.com via site2.com

However when I change

allowed-origins = "https://*.BADsite1.com"

despite the site no no longer being whitelisted it still works and serves the image

I also noticed that the headers for the site 2 access have no-cors set despite being flagged as cross site, so it looks like the wrapper is not sending Access-Control-Allow-Origin: https://*.site1.com in the header

Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site

I was under the impression the cors {} wrapper added the required headers to enforce cors

Also when I add
allow-generic-http-requests = no
it now fails for all requests, which I suspect is due to chrome not realising is supposed to send Origin

I checked this by adding
optionalHeaderValueByType(Origin) { origin => }

and for all requests its None

I'd like to use cors to lock down cross site access to named sites, and right now its seems to either allow everything or forbid it

Help would be gratefully appriciated

_____Full headers

Request

Request URL: https://test.site1.com/static/media/landt.56f7a83a.png
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.0.1:443
Referrer Policy: strict-origin-when-cross-origin

Response

Accept-Ranges: bytes
Content-Length: 17398
Content-Type: image/png
Date: Tue, 04 Jan 2022 12:49:24 GMT
ETag: "6fc2017dde802faf"
Last-Modified: Tue, 21 Dec 2021 19:38:02 GMT
Server: akka-http/10.2.7

Request
GET /static/media/landt.56f7a83a.png HTTP/1.1
Host: test2.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://test2.com
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-GB;q=0.9
@klammal
Copy link

klammal commented Mar 17, 2022

Having the same issue with Java

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rleinfellner @klammal