Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CORS_ORIGIN environment variable #17

Merged
merged 3 commits into from
Apr 15, 2021
Merged

Add CORS_ORIGIN environment variable #17

merged 3 commits into from
Apr 15, 2021

Conversation

arel
Copy link
Contributor

@arel arel commented Nov 23, 2020
edited

Fixes #18

Previously, ssl-proxy assigned the SERVER_NAME value to the Access-Control-Allow-Origin header (which was not documented).

One issue is that any CORS headers set by the proxied server are overridden here. Another issue is that there is no way to customize the CORS headers, which is important for any API.

In my case, I would have preferred ssl-proxy not override the server's headers, but at the very least I needed to be able to set the Access-Control-Allow-Origin header myself to a value other than the server name.

This pull request adds an environment variable, CORS_ORIGIN, and documents it in the README. If unset, this value will default to that of SERVER_NAME to maintain backward compatibility. Otherwise, it allows overriding just the origin header.

I hope this change helps other people in my situation!

@arel arel mentioned this pull request Nov 23, 2020
Closed
clear server's Access-Control-Allow-Origin header
e5b7c75 
There can be only one Access-Control-Allow-Origin header,
and it's being set in entrypoint.sh. So, any existing
Access-Control-Allow-Origin header must be hidden.
@arel
Copy link
Contributor Author

arel commented Nov 23, 2020

Actually, I believe add_header does not override but rather appends a header. So, I added a line to first hide the server's header, if any, since there can only be one.

proxy_hide_header 'Access-Control-Allow-Origin';
add_header 'Access-Control-Allow-Origin' ${CORS_ORIGIN} always;

See: https://serverfault.com/questions/928912/how-do-i-remove-a-server-added-header-from-proxied-location
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed

@justsml
Copy link
Owner

justsml commented Apr 15, 2021

Thanks @arel !!!
Sorry for the delay!

You're PR's look great, I'll review & merge em in, thanks!

@justsml justsml merged commit bf80543 into justsml:master Apr 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CORS origin header cannot be customized and overrides the server response headers
2 participants
@arel @justsml