You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This runs on a server say test.site1.com and its content is being cross site referenced from another domain site2.com, both are https://
In config I have
allowed-origins = "https://*.site1.com"
site2 just contains some html to do a cross site access
site2.org
This works fine & serves the image from test.site1.com via site2.com
However when I change
allowed-origins = "https://*.BADsite1.com"
despite the site no no longer being whitelisted it still works and serves the image
I also noticed that the headers for the site 2 access have no-cors set despite being flagged as cross site, so it looks like the wrapper is not sending Access-Control-Allow-Origin: https://*.site1.com in the header
I was under the impression the cors {} wrapper added the required headers to enforce cors
Also when I add
allow-generic-http-requests = no
it now fails for all requests, which I suspect is due to chrome not realising is supposed to send Origin
I checked this by adding
optionalHeaderValueByType(Origin) { origin => }
and for all requests its None
I'd like to use cors to lock down cross site access to named sites, and right now its seems to either allow everything or forbid it
I am not sure what I am doing wrong
using akka-http-cors 1.1.2 in a scala web project with
val route: Route =
extractUri { uri =>
handleExceptions(myExceptionHandler) {
handleRejections(myRejectionHandler) {
cors() {
get {
pathPrefix(defaultStaticReactEndpoint) {
extractMatchedPath { matched =>
log.info("From Static {} URI:{}", matched, uri)
getFromDirectory(defaultWebsiteStatic)
}
}
}
}
}
}
}
This runs on a server say test.site1.com and its content is being cross site referenced from another domain site2.com, both are https://
In config I have
allowed-origins = "https://*.site1.com"
site2 just contains some html to do a cross site access
site2.orgThis works fine & serves the image from test.site1.com via site2.com
However when I change
allowed-origins = "https://*.BADsite1.com"
despite the site no no longer being whitelisted it still works and serves the image
I also noticed that the headers for the site 2 access have no-cors set despite being flagged as cross site, so it looks like the wrapper is not sending Access-Control-Allow-Origin: https://*.site1.com in the header
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
I was under the impression the cors {} wrapper added the required headers to enforce cors
Also when I add
allow-generic-http-requests = no
it now fails for all requests, which I suspect is due to chrome not realising is supposed to send Origin
I checked this by adding
optionalHeaderValueByType(Origin) { origin => }
and for all requests its None
I'd like to use cors to lock down cross site access to named sites, and right now its seems to either allow everything or forbid it
Help would be gratefully appriciated
_____Full headers
Request
Request URL: https://test.site1.com/static/media/landt.56f7a83a.png
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.0.1:443
Referrer Policy: strict-origin-when-cross-origin
Response
Accept-Ranges: bytes
Content-Length: 17398
Content-Type: image/png
Date: Tue, 04 Jan 2022 12:49:24 GMT
ETag: "6fc2017dde802faf"
Last-Modified: Tue, 21 Dec 2021 19:38:02 GMT
Server: akka-http/10.2.7
Request
GET /static/media/landt.56f7a83a.png HTTP/1.1
Host: test2.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://test2.com
Accept-Encoding: gzip, deflate, br
Accept-Language: en,en-GB;q=0.9
The text was updated successfully, but these errors were encountered: