New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log on startup with "Default CORS properties will be used, please use 'quarkus.http.cors' properties instead" without more information #28377
Comments
cc @sberyozkin |
@yrodiere Hi, I'm not sure there is anything that we should address here. Perhaps, in production, we should even do
I remember now, there was a SAST Snyk failure related to these default wildcard properties, I can link to the report if you'd like. |
Perhaps the message can be improved, do you have some proposals in mind ? |
I think that's the essence of what you meant, then, and that should be in the message. That being said, if it's such a big security risk, why aren't we setting Also... why is this warning in the OpenAPI extension, while Also, the documentation (597440d#diff-2df6cfd5c9a3b893d4bfc6e0d9c56c5cf1f9d8dc24727b22fc0206f4dff460b6R527-R530) seems to suggest that one needs to configure the CORS filter, otherwise a single-page application coming from another domain will not work... but that seems to be the opposite, it will work fine without a filter, but one should enable the filter (and correctly configure the filter) to make sure it can only be used from that single-page application? So many questions... :)
Maybe this?
Though I'm still not sure this log should exist if we consider that |
We can't give more information as we don't know how CORS should be configured for a particular production case. But making it more informative can help, perhaps:
Users can enable nearly the same wildcards with But recommending |
@yrodiere Sure, I'd only propose replace
Re |
The only concern is that So probably
|
Ok, I'm understanding a bit more. As someone not working with HTML/HTTP on a daily basis, I must admit it's all quite blurry to me. So maybe it's clearer to the intended audience of Quarkus. That being said, even for the intended audience, I think it can be confusing that we mention "Default CORS properties" being used as a problem. The problem is not the defaults (which are what they are, from what I understand we cannot do better). The problem is that those defaults are not to filter out anything, and that may not be secure. So maybe you'd want to replace "Default wildcard CORS properties will be used" with "CORS filtering is disabled and cross-origin resource sharing is allowed without restriction"? I would also suggest including a link, we've done it elsewhere already, and when the problem is specific enough, that's probably worth it.
Still... why does this warning appear only when using quarkus-smallrye openapi? I'd expect the problem to affect just about any application? |
Wait, if we're concerned that the documentation refactoring will lead to dead links... it will not affect just this message. Are we really intending to break links all over the place? If it's just about anchors, we can definitely insert additional anchors in the documentation to make sure links don't break. |
@yrodiere Your last message seems the best. and
I'm just not sure how the doc team will end up presenting it, it might end up in https://quarkus.io/guides/cors.
Good question. For example, with |
Describe the bug
If I start a Quarkus application in production mode, with the smallrye-openapi extension enabled, I get this message on startup:
I find this confusing, as the message is not telling me what I did wrong (maybe forgot to set some properties, which ones?) nor exactly what is needed to solve it (which properties should I set, simply
quarkus.http.cors=true
? something more complex?). For the record, myapplication.properties
is completely empty.Expected behavior
Maybe the message should expand a bit on what's wrong and what should be done to solve the problem?
If there is no problem (as the "INFO" level seems to suggest), maybe it should be rephrased from "please use [...]" to "if you want X, do Y"?
Actual behavior
How to Reproduce?
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
The log was apparently introduced in this commit by @sberyozkin: 597440d
The text was updated successfully, but these errors were encountered: