-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KTOR-2872 Add check to prevent anyHost with allowCredentials #2536
Conversation
Hi @hfhbd.
|
@rsinukov Sure, I can change it to warning, but are you sure you can disable this behavior for tests? https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials Without disabling, I don't see a point downgrade the error to warning. |
682da6d
to
f83c920
Compare
Ok, I think you are right. Can you update |
f83c920
to
5fc4abd
Compare
5fc4abd
to
32882d1
Compare
@rsinukov I removed 2 tests, because the used configuration is not possible:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Will merge after CI build
Co-authored-by: hfhbd <hfhbd@users.noreply.github.com>
Co-authored-by: hfhbd <hfhbd@users.noreply.github.com>
Co-authored-by: hfhbd <hfhbd@users.noreply.github.com>
Co-authored-by: hfhbd <hfhbd@users.noreply.github.com>
@hfhbd , @rsinukov I don't think this fixes a problem, it rather creates one: Before this PR was merged, you could allow cross-site requests from any host, even in combination with How can one obtain the same behavior now (i.e. essentially allow cross-domain requests from any host)? |
@raresvla Sorry, I did't get your problem.
You won't get any errors on the client side, if you are using a |
@hfhbd Thanks for looking into this. Let me be more specific on the context I'm referring at:
Therefore, I'm currently configuring the install(CORS) {
allowCredentials = true
anyHost()
// .. more settings here
} This setup worked before and was not triggering a browser complaint, given that the illegal "*" (wildcard) value for Essentially, the
|
@raresvla If so, how can you apply the CORS plugin with the new init check here? https://github.com/hfhbd/ktor/blob/32882d108a406a3d415fe4593a6fe46b411ee33d/ktor-server/ktor-server-plugins/ktor-server-cors/jvm/src/io/ktor/server/plugins/CORS.kt#L80 Found the standard:
Maybe I read the table wrong, or still don't get your problem :) |
@raresvla Or do you also allow other hosts in your config? |
@hfhbd I actually have no explicit allowed hosts in the config, it was I agree with you that it could be a bit confusing to have this dual behavior (i.e. depending on other settings, return either wildcard "*" or the origin host) -- but in my case, this is exactly what I need, since:
Again, before this PR was merged, for a request issued by JS on
|
I believe @raresvla is right here. Browsers do not accept the combination of literally You might argue that the plugin's API is confusing because the things you type don't really map directly onto the headers it sets. But the previous behavior was useful and can't be replicated with the plugin any more. |
Specifically I think the PR should be entirely reverted. Would it help if I opened a PR? (Another alternative would be to explicitly have an option like |
…torio#2536)" This reverts commit a82e199.
Subsystem
Server, core, CORS
Motivation
https://youtrack.jetbrains.com/issue/KTOR-2872
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
Solution
Added check