Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS + JWT validation is broken because of wrong order of envoy filters #36911

Closed
woidda opened this issue Jan 20, 2022 · 4 comments · Fixed by #36981
Closed

CORS + JWT validation is broken because of wrong order of envoy filters #36911

woidda opened this issue Jan 20, 2022 · 4 comments · Fixed by #36981
Assignees
@yangminzhu
Labels
area/networking area/security

Comments

@woidda
Copy link

woidda commented Jan 20, 2022
edited
Loading

Bug Description

The problem is the OPTIONS preflight request when making non simple HTTP calls.

  • CORS should take precedence over auth.
  • I think CORS headers are public information, especially for public facing APIs

Istio does not return the access control headers. This hack is supposed to fix that, but I guess it is not a smart idea to have to do that hack in every istio configuration where we need to authenticate JWT tokens AND support CORS headers.

Version

$ istioctl version
client version: 1.12.1
control plane version: 1.10.1
data plane version: 1.10.1 (92 proxies)

$ kubectl version --short
Client Version: v1.22.1
Server Version: v1.21.2-eks-0389ca3

Additional Information

See also the suggestion in the automatically closed issue.
@woidda woidda mentioned this issue Jan 20, 2022
Closed
@howardjohn
Copy link
Member

cc @yangminzhu thoughts on bypass_cors_preflight?

@woidda
Copy link
Author

woidda commented Jan 24, 2022

Why is bypass_cors_preflight: true not the default?

@yangminzhu
Copy link
Contributor

yangminzhu commented Jan 24, 2022
edited
Loading

It should be set to true by default, and I think we actually forgot to set it when we changed to use the Envoy JWT filter (previously it's enabled in the Istio JWT filter directly).

Thanks for reporting the issue, I will take this.

@yangminzhu yangminzhu self-assigned this Jan 24, 2022
@yangminzhu yangminzhu mentioned this issue Jan 25, 2022
Merged
@SpecialYang
Copy link
Member

I am confused that why istio predefine order of http filters, such as rbac, jwt_auth, cors, fault filters.
How can i move cors http filters to the first position before jwt_auth or rbac?

@sschepens sschepens mentioned this issue Jun 28, 2023
Closed
16 tasks
@apjoseph apjoseph mentioned this issue Dec 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yangminzhu yangminzhu

Labels
area/networking area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

enable BypassCorsPreflight in JWT policy by default yangminzhu/istio
5 participants
@woidda @howardjohn @yangminzhu @SpecialYang @istio-policy-bot