-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blocking CORS checks on DevUI - 403 #34097
Comments
/cc @cescoffier (devui), @phillip-kruger (devui) |
@federico-s Allowing unrestricted to from Dev UI from non localhost is a security risk and we've had to deal with such reported risks before. |
I agree with you, but I think that should be kept the possibilty to do that in dev mode and the configuration mentioned in the guide doesn't work. |
@federico-s That configuration is about accessing application endpoints in devmode, Dev UI CORS filter is about blocking the access to devconsole endpoints such as configuration editor for example. For this latter case, Dev UI CORS filter should allow extra origins if configured by the user, so if Having said that, I'm not sure external client should be allowed to access DevUI meant for the local devmode, since Quarkus has: CC @stuartwdouglas as well |
Isn't this what |
We should add a way to add origins. If we reuse the one from the CORS filter, we will have to document them using %dev otherwise we would change the prod ones. |
I would think using
Or maybe we even default the devui settings to the app settings, but I feel like they should be treated separately since they are 2 separate things. |
I agree they are 2 separate things, but I'm not sure how it's implemented. If it's the same cors filter, having 2 properties can be tricky as ordering becomes important. @phillip-kruger do you know? |
ah ah, thanks! Ok, then, separate property it is! |
Sorry only catching up now. So are we saying we want a new config for Dev UI that does the same as the normal CORS Filter but for the Dev UI one ? |
We do not need everything, just the allowed origins. |
closing this and replace with more foxused specific issue #40477 |
Describe the bug
Hi everyone,
I have a problem with CORS and DevUI. If an external IP tries to open DevUI on the application that I host, client gets a blue screen with Quarkus logo and a "403 CORS Rejected - Invalid origin" response.
In the server log I see this:
Only localhost origin is allowed, but Origin header value is: http://xxx.xxx.xxx.xxx
This behaviour has been introduced since version 3.1.1 and I think this is the PR that causes this behaviour: #33659 .
I tried disabling CORS check in dev mode using this guide but it's not working.
Can you please have a look? I had to downgrade to 3.1.0...
Thanks!
Expected behavior
As 3.1.0
Actual behavior
403 CORS Rejected - Invalid origin
How to Reproduce?
Steps to reproduce the behaviour:
quarkus.http.host=0.0.0.0
Output of
uname -a
orver
Darwin MacBook-Pro-2.local 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64 x86_64
Output of
java -version
openjdk-19.0.2
GraalVM version (if different from Java)
No response
Quarkus version or git rev
3.1.1 or above
Build tool (ie. output of
mvnw --version
orgradlew --version
)maven 3.9.2
Additional information
No response
The text was updated successfully, but these errors were encountered: