Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Control Headers for the HTTP API #409

Closed
bloqhead opened this issue Nov 6, 2019 · 4 comments · Fixed by #412
Closed

Access Control Headers for the HTTP API #409

bloqhead opened this issue Nov 6, 2019 · 4 comments · Fixed by #412

Comments

@bloqhead
Copy link

bloqhead commented Nov 6, 2019

Summary

When trying to access the HTTP API endpoints through a front end app, the API is not supplying an Access-Control-Allow-Origin header, which means the requests get blocked by CORS in the browser.

Steps To Reproduce

  1. Run a Vue app via vue-cli-service on its default port http://localhost:8080
  2. Try to fetch one of the HTTP API endpoints (/meshes/) with either axios or the fetch API (with a 'Access-Control-Allow-Origin': '*' header supplied)

Additional Details & Logs

  • 0.2.2
  • macOS Mojave 10.14.6

curl requests and requests made through a tool like Insomnia work perfectly.
@bloqhead
Copy link
Author

bloqhead commented Nov 6, 2019

I'm working on a Docker configuration that proxies the requests through something with the needed CORS headers, but for a user that doesn't have that time or knowledge, this could pose a barrier.

@jakubdyszkiewicz
Copy link
Contributor

We can either

  1. Add configuration for CORS in the API Server with default to:
  • KUMA_ADVERTISED_HOSTNAME - I think there will be problem if for example on K8S UI is exposed as a different service name than kuma itself
  • * - not really secure, but it will work for any case
  • null and ask user to configure it explicitly
  1. Make the server that will serve static content also a proxy to API Server on path with prefix /api. Ex. assuming 1234 is the port for the new server http://localhost:1234/api/meshes will redirect to http://localhost:5681/meshes
    Pro: zero config from the user
    Con: if we want to switch to HTTPS on API Server then server that serves frontend has to be exposed in HTTPS also. Another one is that when developing locally only frontend app it require running it from the control plane to work.

I've seen both in action. I think first option is better. Any thoughts @yskopets ?

@bloqhead
Copy link
Author

bloqhead commented Nov 6, 2019

The wildcard might be a concern for some adopters, but maybe there can be an option to override settings for the HTTP API or make it so that the HTTP API can be turned off?

@yskopets
Copy link
Contributor

yskopets commented Nov 7, 2019

I think, we can go ahead with Access-Control-Allow-Origin: * for now.

Since Kuma REST API doesn't support authentication yet, there are no credentials to worry about.

We can revisit this decision later on.

@jakubdyszkiewicz jakubdyszkiewicz mentioned this issue Nov 8, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(kuma-cp) support CORS in api server kumahq/kuma
3 participants
@bloqhead @jakubdyszkiewicz @yskopets