Is there a way to setup CORS origins? Nginx config overwritten by postgrest

[yevon]

I was trying to setup nginx CORS rules for my project in nginx ingress in kubernetes, until I realized a weird behaviour, and it is that postgrest is always adding the "access-control-allow-origin: *" header. Is there a way to completely disable this? or modify this header? As nginx is returning this header when it shoudn't. It would be nice being able to disable this behaviour, or just being able to modify the origins returned by the access-control-allow-origin header.

[steve-chavez]

Sure, this shouldn't be too hard to customize. The cors logic is on this file:

postgrest/src/PostgREST/Cors.hs

Lines 19 to 42 in a41380b

	-- | CORS policy to be used in by Wai Cors middleware
	corsPolicy :: Wai.Request -> Maybe Wai.CorsResourcePolicy
	corsPolicy req = case lookup "origin" headers of
	Just origin ->
	Just Wai.CorsResourcePolicy
	{ Wai.corsOrigins = Just ([origin], True)
	, Wai.corsMethods = ["GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS"]
	, Wai.corsRequestHeaders = "Authorization" : accHeaders
	, Wai.corsExposedHeaders = Just
	[ "Content-Encoding", "Content-Location", "Content-Range", "Content-Type"
	, "Date", "Location", "Server", "Transfer-Encoding", "Range-Unit"]
	, Wai.corsMaxAge = Just $ 60*60*24
	, Wai.corsVaryOrigin = False
	, Wai.corsRequireOrigin = False
	, Wai.corsIgnoreFailures = True
	}
	Nothing -> Nothing
	where
	headers = Wai.requestHeaders req
	accHeaders = case lookup "access-control-request-headers" headers of
	Just hdrs -> map (CI.mk . BS.strip) $ BS.split ',' hdrs
	-- Impossible case, Middleware.Cors will not evaluate this when
	-- the Access-Control-Request-Headers header is not set.
	Nothing -> []

[yevon]

Ok thanks, I would need this before going to production, as having open cors in an api with authentication might be a high security risk. I didn't found a way to tell nginx proxy to ignore postgrest cors headers yet, and only use those defined in nginx. I might look into this when I have some time, but maybe other can implement this easily.

[wolfgangwalther]

To do this at the proxy level with nginx, you could just use proxy_hide_header: https://stackoverflow.com/a/56617888

[yevon]

To do this at the proxy level with nginx, you could just use proxy_hide_header: https://stackoverflow.com/a/56617888

Amazing! I will try this thanks.

[yevon]

I tried:

nginx.org/proxy-hide-headers: "Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Max-Age"

But it doesn't seem to be working, maybe I'm missing something.

[laurenceisla]

Just to give an example to hide the access-control-allow-origin header using #2441 (comment):

server {

  # ...

  location /api/ {
    default_type  application/json;
    proxy_hide_header Content-Location;
    add_header Content-Location  /api/$upstream_http_content_location;
    proxy_set_header  Connection "";
    proxy_http_version 1.1;
    proxy_pass http://postgrest/;

    # Hides the header
    proxy_hide_header 'Access-Control-Allow-Origin';

    # Sets the new value
    add_header Access-Control-Allow-Origin https://www.mydomain.com;
  }
}

[yevon]

Yes sorry, it indeed worked adding proxy hide headers thanks all! Closing this.

[elimisteve]

In case it's useful to my fellow Gophers...

How to do the same thing as above, but using Go rather than Nginx as your reverse proxy:

postgrestURL, _ := url.Parse("http://localhost:3000")
postgrestProxy := httputil.NewSingleHostReverseProxy(postgrestURL)
postgrestProxy.ModifyResponse = func(resp *http.Response) error {
        resp.Header.Del("Access-Control-Allow-Origin")  // Delete too-permissive header coming back from PostgREST
        resp.Header.Set("Access-Control-Allow-Origin", "https://www.mydomain.com")
        return nil
}
handlePostgrest := http.StripPrefix("/postgrest", postgrestProxy)

// Using gorilla/mux:
r := mux.NewRouter()
r.PathPrefix("/postgrest").Handler(handlePostgrest)
http.Handle("/", r)

// Or without gorilla/mux:
http.Handle("/postgrest", handlePostgrest)

[steve-chavez]

Hm, since we do modify CORS (doc) I think making it configurable is reasonable. It should be simple to implement too.

cors-allowed-origins = "domain1, domain2"

By default it's:

cors-allowed-origins = "*"

---

Alternatively, this should already be possible with pre-request? Edit: even if it's possible, it should be fine to have the ability to configure it globally.

[taimoorzaeem]

@steve-chavez How should we handle the case when an Origin: domain header is given in the request? Should it override the cors-allowed-origins config?

[laurenceisla]

@taimoorzaeem According to MDN, you'll need to:

Limiting the possible Access-Control-Allow-Origin values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, set the Access-Control-Allow-Origin value to the same value as the Origin value.

It only returns the value specified by Origin in the he Access-Control-Allow-Origin header if found. AFAIK Origin doesn't override the config, it just works as a filter for the list in that config.

[steve-chavez]

@taimoorzaeem Sorry for the late reply here.

So as per my understanding, if domain is not inside cors-allowed-origins - hence not sent in Access-Control-Allow-Origin - the preflight request will fail. Not sure if we need to set a custom error here, the browser itself should err with an appropriate message.

I also recommend checking the MDN docs that Laurence linked.

[steve-chavez]

@taimoorzaeem Also these docs might be helpful:

• https://ieftimov.com/posts/deep-dive-cors-history-how-it-works-best-practices/
• https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request