So I'm using middleware.CORSWithConfig along w/ a middleware.ProxyWithConfig in my request/response stack.
I'm seeing some oddness w/ the Access-Control-Allow-Origins header where the value for that header on the response from the proxied service to my Echo server *, but once it passes through the proxy, it changes to *, * by the time it gets back into the client. Upon which I start seeing the following browser errors related to CORS violations:
VM1627:362 Access to XMLHttpRequest at 'http://localhost:6273/' from origin 'http://localhost:8002' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
The * ACAO header should be replaced/overridden by the CORS middleware setting for ACAO, resulting in just * for the header value.
It seems to me that the values from the proxy's ACAO header are being _appended_ to the resultant response ACAO header, resulting in an invalid *, * value.
package main
func singleTargetBalancer(url *url.URL) middleware.ProxyBalancer {
targetURL := []*middleware.ProxyTarget{
{
URL: url,
},
}
return middleware.NewRoundRobinBalancer(targetURL)
}
func Noop(ctx echo.Context) (err error) {
ctx.String(
http.StatusNotImplemented,
"No op handler should never be reached!",
)
return err
}
func main() {
e := echo.New()
e.HideBanner = true
e.Use(
middleware.CORSWithConfig(middlewares.CustomCorsConfig),
middlewares.ThriftMetrics(),
)
// Have to use a Noop handler since we're not trying to set up a full-on proxy for the backend service. We only want this one route to be proxied.
e.POST(
"/",
handlers.Noop,
middleware.ProxyWithConfig(middleware.ProxyConfig{
Balancer: singleTargetBalancer("http://foo.com/something"),
})
)
}
I ultimately worked around this by modifying the header in-flight after the proxy does it's thing. Linking here for others that may come across this: https://stackoverflow.com/questions/58310173/echo-cors-w-proxy-middlewares-causes-problems-w-access-allow-origins-response/58331197#58331197
But I'm not closing because this still seems odd that Echo's proxy is "allowed" to set an invalid ACAO header, in the case of a backend service setting *.
@RavenHursT I can help with providing simple PR for further discussion with labstack here. But maybe the CORSMiddleware shouldn't override response headers in such way as you described above?
Your services behind ProxyMiddleware can provide specific headers if they want and it must be returned to the client. IMO, the main issue here is that the resulting ACAO is invalid. So, ProxyMiddleware should handle it and fix the ACAO when needed.
Maybe you're right. But seems like, if I'm using a CORSMiddleware, that _should_ be the "source of truth" for all thee CORS-related headers, right? I mean, even though I'm proxying the requests.. I'd still expect my CORSConfig to impact the resultant responses...
The CORSMiddleware will be the "source of truth" and ProxyMiddleware shouldn't fix incorrect values. It's about services behind them.
Well, that's an interesting and meaningful point of view. I suppose we should wait one of maintainers. But I'll provide soon a PR with your solution. So, we'll be able to discuss some real drafts.
Sounds great @jerrdasur !
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is there a better way to handle this? I'm facing similar issue where it says 'Access-Control-Allow-Origin' header contains multiple values '*, http://localhost:3000'
@arun0009 I ended up working around this issue w/ a custom middleware solution:
https://stackoverflow.com/a/58331197/282250
@RavenHursT - Thanks! I left a comment and upvoted your answer on StackOverflow. It worked for me as well
Thanks for that!
On Thu, Apr 2, 2020, 6:18 PM Arun Gopalpuri notifications@github.com
wrote:
@RavenHursT https://github.com/RavenHursT - Thanks! I left a comment
and upvoted your answer on StackOverflow. It worked for me as well—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/labstack/echo/issues/1419#issuecomment-608141313, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AADZKVYJE3QFT4NBYBHQW3LRKUMN3ANCNFSM4I7C5MYA
.