fix(security): CORS Allow-Credentials header applies to ALL CORS requ…

…ests (edgexfoundry#4669) Signed-off-by: Bryon Nevis <[email protected]>
weichou1229 · Sep 6, 2023 · 2bac5d1 · 2bac5d1
1 parent 5e4c173
commit 2bac5d1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/cmd/security-proxy-setup/entrypoint.sh b/cmd/security-proxy-setup/entrypoint.sh
@@ -59,14 +59,15 @@ fi
 echo "$(date) CORS settings dump ..."
 ( set | grep EDGEX_SERVICE_CORSCONFIGURATION ) || true
 
+# See https://github.com/edgexfoundry/edgex-go/issues/4648 as to why CORS is implemented this way.
+# Warning: no not simplify add_header redundancy. See https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx
 corssnippet=/etc/nginx/templates/cors.block.$$
 touch "${corssnippet}"
 if test "${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS}" = "true"; then
   echo "      if (\$request_method = 'OPTIONS') {" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}';" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Methods' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDMETHODS}';" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDHEADERS}';" >> "${corssnippet}"
-  # Access-Control-Expose-Headers should not be set on OPTIONS request
   if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then
     # CORS specificaiton says that if not true, omit the header entirely
     echo "        add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}"
@@ -81,6 +82,10 @@ if test "${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS}" = "true"; then
   # Always add headers regardless of response code.  Omit preflight-related headers (allow-methods, allow-headers, allow-credentials, max-age)
   echo "        add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}' always;" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Expose-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSEXPOSEHEADERS}' always;" >> "${corssnippet}"
+  if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then
+    # CORS specificaiton says that if not true, omit the header entirely
+    echo "        add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}"
+  fi
   echo "        add_header 'Vary' 'origin' always;" >> "${corssnippet}"
   echo "      }" >> "${corssnippet}"
   echo "" >> "${corssnippet}"

diff --git a/snap/local/runtime-helpers/bin/security-bootstrapper-nginx b/snap/local/runtime-helpers/bin/security-bootstrapper-nginx
@@ -31,14 +31,15 @@ fi
 echo "$(date) CORS settings dump ..."
 ( set | grep EDGEX_SERVICE_CORSCONFIGURATION ) || true
 
+# See https://github.com/edgexfoundry/edgex-go/issues/4648 as to why CORS is implemented this way.
+# Warning: no not simplify add_header redundancy. See https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx
 corssnippet=/tmp/cors.block.$$
 touch "${corssnippet}"
 if test "${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS}" = "true"; then
   echo "      if (\$request_method = 'OPTIONS') {" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}';" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Methods' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDMETHODS}';" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Allow-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDHEADERS}';" >> "${corssnippet}"
-  # Access-Control-Expose-Headers should not be set on OPTIONS request
   if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then
     # CORS specificaiton says that if not true, omit the header entirely
     echo "        add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}"
@@ -53,6 +54,10 @@ if test "${EDGEX_SERVICE_CORSCONFIGURATION_ENABLECORS}" = "true"; then
   # Always add headers regardless of response code.  Omit preflight-related headers (allow-methods, allow-headers, allow-credentials, max-age)
   echo "        add_header 'Access-Control-Allow-Origin' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWEDORIGIN}' always;" >> "${corssnippet}"
   echo "        add_header 'Access-Control-Expose-Headers' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSEXPOSEHEADERS}' always;" >> "${corssnippet}"
+  if test "${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}" = "true"; then
+    # CORS specificaiton says that if not true, omit the header entirely
+    echo "        add_header 'Access-Control-Allow-Credentials' '${EDGEX_SERVICE_CORSCONFIGURATION_CORSALLOWCREDENTIALS}';" >> "${corssnippet}"
+  fi
   echo "        add_header 'Vary' 'origin' always;" >> "${corssnippet}"
   echo "      }" >> "${corssnippet}"
   echo "" >> "${corssnippet}"