New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apiserver: CORS only works in insecure mode? #16431
Comments
cc @lavalamp |
That seems kinda broken, how can we implement this without leaking BTW, our apiserver is not currently safe against XSS attacks, so we do On Wed, Oct 28, 2015 at 9:35 AM, krousey notifications@github.com wrote:
|
I have come across the same issue. Is it possible to run a nginx proxy in front of apiserver on the master to handle CORS request? it seems that there was a nginx sitting in front of apiserver quite a while ago and all requests will be reverse proxied by nginx. but then it got removed to enable apiserver bearer token auth (nginx does not support bearer token). |
also could you explain more on
what is the security concern behind having authn handler take precedence over CORS handler rather than the other way around? or we simply don't want to enable cors on security port (because the preflight request will always be rejected)? |
@lavalamp any update? |
@pendoragon No update. As far as what the problem is, OPTIONS not having auth headers means we can't tell if the requester is allowed to see the thing they're asking about. But anyway, as apiserver is not currently (and possibly not ever) hardened against XSS attacks, if you need CORS, you probably need to run an api proxy that is hardened against XSS attacks. |
@lavalamp could you clarify what information would be leaked if we don't check auth on OPTIONS requests? My understanding is that
|
I was under the impression that OPTIONS also contains a path, and therefore On Fri, Nov 6, 2015 at 2:39 AM, xinzhangcmu notifications@github.com
|
AFAIU, OPTIONS does contain a path but the server will just return 204 regardless of whether the path exits or not. The response to OPTIONS only indicates that server is aware of CORS. |
I agree with @pendoragon, it should be fine to ignore the path in the options request. |
Thanks for the clarification! In that case it sounds logical to change the On Tue, Nov 10, 2015 at 5:12 AM, stephenR notifications@github.com wrote:
|
Thanks for confirmation! I will work on a PR for this! |
I am writing a client-side AngularJS app that uses XMLHttpRequest trying to talk to the apiserver. The apiserver was brought up with the following flags, especially with
cors-allowed-origins
hoping to allow CORS.and I configured apiserver to support basic auth with https.
However, the pre-flight OPTIONS request failed with 401. Below is my rationale:
Is this expected behavior or did I miss anything? If it is expected, then what is the recommended way to allow CORS with authn on? I am thinking of using a proxy in front of the apiserver
The text was updated successfully, but these errors were encountered: