Hydra: CORS_ALLOWED_ORIGINS doesn't respect wildcards

Created on 8 Oct 2018  路  3Comments  路  Source: ory/hydra

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
When using wildcards in CORS_ALLOWED_ORIGINS environment variable, hydra does not respect them.

When specifying domains exactly, hydra respects the CORS request.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
Launch hydra with CORS for *.domain.com:

docker run -it --rm \
  -e CORS_ENABLED=true \
  -e "CORS_ALLOWED_ORIGINS=http://*.domain.com" \
  -e DATABASE_URL=memory \
  -p 4444:4444 \
  oryd/hydra:v1.0.0-beta.9 serve all --dangerous-force-http

Attempt a CORS request:

curl \
  --request POST \
  --header "Origin: http://test.domain.com" \
  --dump-header - \
  --output /dev/null \
  --silent \
  http://localhost:4444/oauth2/token

Notice the lack of CORS headers.

Now, attempt another CORS request this time from http://*.domain.test:

curl \
  --request POST \
  --header "Origin: http://*.domain.com" \
  --dump-header - \
  --output /dev/null \
  --silent \
  http://localhost:4444/oauth2/token

Theres a header for Access-Control-Allow-Origin: http://*.domain.com! Looks like the wildcard is being treated as an actual character.

What is the expected behavior?
Hydra should send Access-Control-Allow-Origin: http://test.domain.com as a header.

Which version of the software is affected?

docker run -it --rm oryd/hydra:v1.0.0-beta.9 version
Version:    v1.0.0-beta.9
Git Hash:   f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-01T13:29:35Z
bug feat

Most helpful comment

You're right, in fact this is a bug. rs/cors (the library we use for cors) should support this: https://github.com/rs/cors#parameters

Not sure what's going on.

All 3 comments

Yeah, wildcards are currently interpreted as literals, see also: https://www.w3.org/TR/cors/#access-control-allow-origin-response-header

It's useful nonetheless, tagging as feature request.

Ah ok then, it might be helpful to update the help message for CORS_ALLOWED_ORIGINS. It might be a bit misleading until this is implemented:

- CORS_ALLOWED_ORIGINS: A list of origins (comma separated values) a cross-domain request can be executed from.
    If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
    to replace 0 or more characters (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penality.
    Only one wildcard can be used per origin. The default value is *.
    Example: CORS_ALLOWED_ORIGINS=http://*.domain.com,http://*.domain2.com

You're right, in fact this is a bug. rs/cors (the library we use for cors) should support this: https://github.com/rs/cors#parameters

Not sure what's going on.

Was this page helpful?
0 / 5 - 0 ratings