Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gateway has unkillable CORS headers #6213

Open
MichaelMure opened this issue Apr 12, 2019 · 2 comments
Open

Gateway has unkillable CORS headers #6213

MichaelMure opened this issue Apr 12, 2019 · 2 comments
Labels
topic/CORS Issues related to CORS on HTTP endpoints topic/gateway Topic gateway

Comments

@MichaelMure
Copy link
Contributor

Version information:

ipfs version --all
go-ipfs version: 0.4.19-
Repo version: 7
System version: amd64/linux
Golang version: go1.11.5

Type: bug

Description:

The gateway is configured by default with HTTPHeaders being:

{
	"Access-Control-Allow-Headers": [
		"X-Requested-With"
	],
	"Access-Control-Allow-Methods": [
		"GET"
	],
	"Access-Control-Allow-Origin": [
		"*"
	]
}

When changed to:

{
      "X-Pwet": [
        "hello"
      ]
}

The gateway still return the CORS headers, even though the config is gone:

< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Access-Control-Allow-Headers: Content-Type
< Access-Control-Allow-Headers: Range
< Access-Control-Allow-Headers: User-Agent
< Access-Control-Allow-Headers: X-Requested-With
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: Content-Range
< Access-Control-Expose-Headers: X-Chunked-Output
< Access-Control-Expose-Headers: X-Stream-Output
< Cache-Control: public, max-age=29030400, immutable
< Content-Length: 12
< Content-Type: text/plain; charset=utf-8
< Etag: "QmXvrr3gPtddcNrisH7i2nan9rY7v7RcxVQ9jjRreoWwRS"
< Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
< Suborigin: ipfs000bciqi47fhgcpe6mrmoijkvsbgzb55a537hjfrc5e6yyz73vxopwfe52i
< X-Ipfs-Path: /ipfs/QmXvrr3gPtddcNrisH7i2nan9rY7v7RcxVQ9jjRreoWwRS
< X-Pwet: hello
< Date: Thu, 11 Apr 2019 20:04:33 GMT

I'd like to argue that go-ipfs should respect the configuration, and not return those headers anymore in this case.

On a side note, as you can see, the gateway return multiple Access-Control-Allow-Headers and Access-Control-Expose-Headers. My understanding is that while this is legal, it also might cause incompatibility issues and is generally less easy to deal with (at least in go). The API return instead the same headers only once, with a list of values.

@Kubuxu
Copy link
Member

Kubuxu commented Apr 15, 2019

When you delete those keys, default values are used. What is a problem with CORS headers being present on gateways?

@MichaelMure
Copy link
Contributor Author

It create a conflict when you want to have a proxy in front of go-ipfs and handle CORS there. It's still possible to filter the CORS headers in the proxy, but it's rather awkward and brittle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic/CORS Issues related to CORS on HTTP endpoints topic/gateway Topic gateway
Projects
None yet
Development

No branches or pull requests

4 participants