Kong: Preflight OPTIONS request not handled in Kong gateway

--data "config.origins=http://localhost:4200"

Is this the origin being sent by your browser? Please provide the CORS preflight request that is failing.

config.origins:
List of allowed domains for the Access-Control-Allow-Origin header. If you wish to allow all origins, add * as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.

Yes That is correct. Please find the details below ...I am getting following error whenever I am tying POST . When I use a CORS third party header it works fine.

Error (Endpoint - http://url:8000/xxx/yyy/AAAA

Access to XMLHttpRequest at 'xxxx' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

If the endpoint is - https://cors-anywhere.herokuapp.com/http://url:8000/xxx/yyy/AAAA - it works fine

Request (with http headers)

Request URL:
Request Method: OPTIONS
Status Code: 404 Not Found
Remote Address: 54.154.83.36:8000
Referrer Policy: no-referrer-when-downgrade

Provisional headers are shown
Access-Control-Request-Headers: access-control-allow-origin,authorization,content-type
Access-Control-Request-Method: POST
Origin: http://localhost:4200

Request without http headers

Request URL:
Request Method: OPTIONS
Status Code: 404 Not Found
Remote Address: 54.154.83.36:8000
Referrer Policy: no-referrer-when-downgrade
Provisional headers are shown
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Origin: http://localhost:4200

Plugin

curl -i -X POST http://localhost:8001/services/f09a225b-d484-4259-9f66-efd6abd8190e/plugins --data "name=cors" --data "config.methods=GET" --data "config.methods=POST" --data "config.origins=*" --data "config.preflight_continue=false" --data "config.exposed_headers=Access-Control-Allow-Headers,Access-Control-Allow-Origin" --data "enabled=true"
HTTP/1.1 201 Created
Date: Fri, 02 Aug 2019 01:00:05 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Server: kong/1.2.1
Content-Length: 449

{"created_at":1564707605,"config":{"methods":["GET","POST"],"exposed_headers":["Access-Control-Allow-Headers,Access-Control-Allow-Origin"],"max_age":null,"headers":null,"origins":["*"],"credentials":false,"preflight_continue":false},"id":"6d56ec88-3873-4c10-a7cf-d5f63eb1a453","service":{"id":"f09a225b-d484-4259-9f66-efd6abd8190e"},"name":"cors","protocols":["http","https"],"enabled":true,"run_on":"first","consumer":null,"route":null,"tags":null}

Service on which the Plugin is configured

{"host":"54.229.55.90","created_at":1564075509,"connect_timeout":60000,"id":"f09a225b-d484-4259-9f66-efd6abd8190e","protocol":"http","name":"CreatePSDReport","read_timeout":60000,"port":9092,"path":"/gabrielreturn/psdreport","updated_at":1564075509,"retries":5,"write_timeout":60000,"tags":null}

Route for the service (configured with Path)

{"id":"4a904652-0107-4b8f-97e3-73bd5a96c8d2","tags":null,"paths":["/gabrielreturn/psdreport"],"destinations":null,"protocols":["http","https"],"created_at":1564075563,"snis":null,"hosts":null,"name":null,"preserve_host":false,"regex_priority":0,"strip_path":true,"sources":null,"updated_at":1564075563,"https_redirect_status_code":426,"service":{"id":"f09a225b-d484-4259-9f66-efd6abd8190e"},"methods":["POST"]}

I have tried with config.origins=* . But still same error.

@james-callahan any inputs please. This is a blocker for me and we have no clue how to solve this. Really urgent. Any help is highly appreciated. Please help.

You need to ensure that you have a Route configured with the OPTIONS method.

This is because of your request, which is a special cross-domain request. The specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method.

At first, I was confused because Kong Services doesn't allow me to create a Service with the OPTIONS method, but yesterday I discovered that the Kong Routes allows it!

@Yamilquery Thanks for the input. However this does not solve the problem for me. Please see #4898 .
This is specified as a limitation of the CORS plugin in that it does not allow OPTIONS in the method config .

I would like to know more about what you are proposing. Does it mean I need to specify two routes for each service - one for the actual HTTP method (GET/POST/PUT/DELETE) and the other for OPTIONS with the same path configured . My query is if I have a route configured with OPTIONS method , it will just route it to the upstream service which will not know how to handle it anyways resulting in same error. It is because the CORS plugin cannot act on the OPTIONS request due to the limitation in the way it has been designed.

Let me know if I am missing something.

Regards
Neel

@nchaudhu same problem here, CORS plugin is not working with OPTIONS header properly. Did you find a solution?

@brainweb-br I think it's a CORS plugin bug about evaluation priority, it eval the route criteria before CORS. So you can try the workaround, add a fallback route for Kong not to reject the preflight (OPTIONS) request:

@noomz I solved putting the OPTIONS method in the route configuration.
I thought that was not needed.

Add OPTIONS as an additional HTTP method in the route config worked for me too.

@noomz or @jaimebrolesi Can you specify the solution better? I'm trying to create two routes, one with 'OPTIONS' and priority_regex: 0 and the other with priority_regex: 1, but it hasn't worked for me.

@nchaudhu I think this issue was fixed by #4899 (which was manually merged instead of merged via the github UI, so it appears as "Closed"). So I will close this issue. Please reopen if I misunderstood.

@italoeduardo96 I believe what's being suggested is: One of the field of a Route is the methods field. It is an array, and can have more than one method. If methods is empty, then the route will be matched via other means (a common one is the hosts field). But if methods is present (for example if it contains ["GET"], then in order for the CORS plugin to work correctly with the Route, then the OPTIONS needs to be included in the Route's methods field (it should be ["GET", "OPTIONS"]). Otherwise Kong will not match the OPTIONS request with the Route, and the CORS plugin associated to the Route will not be triggered.