Can't get CORS to work when "withCredentials" is true for any origin

[kshetline]

I'm trying to get CORS to work when withCredentials is true in my XMLHttpRequest, but for any origin. If I use "allow_origins": [] or "allow_origins": ["*"] in my "github_com/devopsfaith/krakend-cors" config, CORS will only work if withCredentials is false.

I can get CORS to work when withCredentials is true only if I specifically whitelist all allowed origins.

The problem is that with "allow_origins": [] or "allow_origins": ["*"], Access-Control-Allow-Origin comes back as "*". I need to have to origin of the request echoed back in the Access-Control-Allow-Origin header instead.

Is there a way to specify that behavior?

        "github_com/devopsfaith/krakend-cors": {
            "allow_origins": ["http://localhost:8080"], // Or [] or ["*"] - which only changes the limitation or error I get
            "allow_headers": ["Origin", "Authorization", "Content-Type", "Accep\
t", "X-Auth-Token"],
            "expose_headers": ["Content-Type", "Content-Length"],
            "allow_credentials": true
        }

[taik0]

Hi @kshetline and welcome to the KrakenD community!

This module wraps https://github.com/rs/cors, the behaviour you are describing is disabled for security reasons (by the library, not us).

Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard *, which means any domain is allowed. But they also have another important security requirement: Origin: * and Credentials: true cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination.

Please check this issue for more information: rs/cors#55

[kshetline]

I can get this to work just fine with a simple sample node/express server (which is not the server we're using through kraken), without running into any security issues from either Chrome or Firefox.

I'm confused about whether or not the issue you linked to above matches my situation or not. I don't have the browser sending Origin: *. The browser is sending it's actual origin (let's say that's https:/foo.com). The problem is that the response from the service deployed via kraken is Access-Control-Allow-Origin: *, instead of Access-Control-Allow-Origin: https://foo.com.

This problem goes away if withCredentials is false. Are you saying that regardless of circumstances, rs/cors won't echo back the same origin it is sent, even when that origin is explicit, not "*"?

[kshetline]

I've found a solution to get the behavior I want. I don't know if this would be considered a "cheat" or not, but "allow_origins": ["http*"] solves my problem.

It was very useful to know that the source code that mattered was " https://github.com/rs/cors", because that made it easy to figure this out. Thanks!

[github-actions]

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.