Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS - allowing content-type on headers #171

Closed
g-belmonte opened this issue Aug 31, 2020 · 6 comments
Closed

CORS - allowing content-type on headers #171

g-belmonte opened this issue Aug 31, 2020 · 6 comments

Comments

@g-belmonte
Copy link

g-belmonte commented Aug 31, 2020
edited

Greetings!

I've been dealing with an application that has different servers for the frontend and its API. Resgate is the entrypoint for the API, and I was trying to do some REST requests from the frontend, but having trouble when setting the header "Content-Type: application/json", because resgate's answer didn't have the header "Access-Control-Allow-Headers: content-type".
I added it to the code, and things started to work perfectly for me.

If you think this change might bring value to the project, here's the PR: #173
@g-belmonte g-belmonte mentioned this issue Aug 31, 2020
Closed
@g-belmonte
Copy link
Author

I was solving this issue with @raphaelpereira, and I saw we both opened a PR for that.
(the other PR is #172)

Please, fell free to close one of them 😄

jirenius added a commit that referenced this issue Sep 5, 2020
@jirenius
GH-171: Access-Control-Allow-Headers mirrors the Access-Control-Reque…
a7e139c 
…st-Headers values.
jirenius added a commit that referenced this issue Sep 5, 2020
@jirenius
GH-171: Added tests for OPTIONS Allow-Control-Request-Headers.
11e9a0b
@jirenius
Copy link
Collaborator

jirenius commented Sep 5, 2020

Hi @g-belmonte and @raphaelpereira

Sorry for the slow response. Week has been mightily busy.

Great that you guys made it work! (and made me aware of the issue 😃 )

#172 (and #173) covers the most common case with Content-Type, but better to cover it completely.

Since request headers will have no side-effects with Resgate, and attempts to forge headers such as X-Forwarded-Host can easily be countered at the reverse proxy if some RES-service for some weird reason should depend on it. So.. yeah, I think it is safe to allow any headers.

But, with those changes, I actually made my own branch where the Access-Control-Request-Headers value is mirrored to the Access-Control-Allowed-Headers (I am not sure how well the browsers supports the *-wildcard, so mirroring is more safe).

https://github.com/resgateio/resgate/tree/feature/gh-171-cors-access-control-allow-headers

If you have the time, please try it out to see if it solves your issue.

@g-belmonte
Copy link
Author

No worries, @jirenius! Actually, thanks for spending time taking a look at this issue. Time is a scarce resource 😃

Well, my fix worked until I had to do a request with authorization. Then I had to add Access-Control-Allow-Headers: authorization to the headers and I started to think "what other headers am I missing?"... so, I do think that mirroring the Access-Control-Request-Headers would be an easy way forward!
I'll go test your branch, and I'll be back soon with the results 😄

@g-belmonte
Copy link
Author

And yes, your branch is working perfectly 😄 👍

@jirenius
Copy link
Collaborator

Great! Thanks for the help.

I'll have the branch merged to develop, and then release a patch version of Resgate instead of waiting for next minor release.

jirenius added a commit that referenced this issue Sep 10, 2020
@jirenius
Merge pull request #174 from resgateio/feature/gh-171-cors-access-con…
3811991 
…trol-allow-headers

Feature/gh 171 cors access control allow headers
@jirenius
Copy link
Collaborator

Resolved in #174

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jirenius @g-belmonte