-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS: support wildcard matching for AllowMethods and AllowHeaders #4168
Conversation
d3292ff
to
8ff49b0
Compare
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
8ff49b0
to
4baf302
Compare
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4168 +/- ##
==========================================
- Coverage 66.51% 66.45% -0.06%
==========================================
Files 195 195
Lines 23734 23745 +11
==========================================
- Hits 15786 15780 -6
- Misses 6831 6841 +10
- Partials 1117 1124 +7 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Do we need to label this somehow so that we include a breaking change notice in release notes?
Although the Envoy documentation doesn’t explicitly mention it, the implementation currently allows the The current implementation:
While allowing * can be convenient, whitelisting all headers/methods has a better security posture. Should we using wildcard maching for allowHeaders and allowMethods? @envoyproxy/gateway-maintainers @envoyproxy/gateway-reviewers Test: cors:
allowHeaders:
- '*'
allowMethods:
- '*'
allowOrigins:
- '*'
exposeHeaders:
- '*' curl -H "Origin: http://www.foo.com/" \
-H "Host: www.example.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: Content-Type, x-resp" \
-H "Access-Control-Expose-Headers: xxxxxx, yyyyy" \
-X OPTIONS -v -s \
http://172.18.255.200/ \
1> /dev/null
< HTTP/1.1 200 OK
< access-control-allow-origin: http://www.foo.com/
< access-control-allow-methods: GET
< access-control-allow-headers: Content-Type, x-resp
< access-control-expose-headers: *
< date: Tue, 10 Sep 2024 08:43:47 GMT
< content-length: 0 Slack discussion: https://envoyproxy.slack.com/archives/C03E6NHLESV/p1725956439557039?thread_ts=1725899843.349039&cid=C03E6NHLESV CORS implementations in some existing gateways, all of them support wildcard in allowOrigins, and some of them support wildcard in headers and methods.
|
Adding my use case here where we require some way to mention Allow all.
So for us it would be preferable if there is a way to define allow all for |
This comment was marked as resolved.
This comment was marked as resolved.
From Access-Control-Expose-Headers
So for requests without creds/cookies, below exposeHeaders:
- '*' would make it behave like allow all @zhaohuabing |
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
I misunderstood the |
Signed-off-by: Huabing Zhao <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
Support wildcard matching for AllowMethods and AllowHeaders
Related: #4196