-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Date header not accessible to CORS browser clients, missing Access-Control-Expose-Headers #33231
Comments
cc @smarterclayton I found this trying to fix the clock skew problem |
@jwforres i can take a stab at a quick change Access-Control-Expose-Headers (support section 6.1.4 of https://www.w3.org/TR/cors/#resource-requests). If i a file a WIP PR, will you be able to build it and test it? Please let me know, if not i can try to setup an environment. |
oh and which set of http headers need to be exposed? |
Our typical HTTP Response has a "Date" Header, if we don't add an additional http header "Access-Control-Expose-Headers: Date" then the browser based clients cannot use the Date HTTP Header. Fixes kubernetes#33231
I'm not aware of any other special headers being sent, Date should be enough for now I'm not really set up to run just kubernetes right now, I could cherry-pick the change into openshift's vendor of kube 1.4 and try it there if you want? |
Sure @jwforres please try the PR and let me know. |
Our typical HTTP Response has a "Date" Header, if we don't add an additional http header "Access-Control-Expose-Headers: Date" then the browser based clients cannot use the Date HTTP Header. Fixes kubernetes#33231
Automatic merge from submit-queue Support Access-Control-Expose-Headers in CORS Handler Our typical HTTP Response has a "Date" Header, if we don't add an additional http header "Access-Control-Expose-Headers: Date" then the browser based clients cannot use the Date HTTP Header. Fixes #33231 **Release note**: <!-- Steps to write your release note: 1. Use the release-note-* labels to set the release note state (if you have access) 2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. --> ```release-note When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript. ```
v1.4.0-beta.3+d19513f
If a UI is hosted on a different domain than the API, and that UI hostname has been whitelisted as an allowed CORS origin, it should be able to access the Date header being returned by the API.
However, the CORS spec requires any headers that are not simple must be included in a header called Access-Control-Expose-Headers or the javascript in the page will not be able to access the headers even if they are returned by the server.
This should just be a matter of adding
Access-Control-Expose-Headers
in the CORS handlerkubernetes/pkg/apiserver/handlers.go
Line 386 in a2c186d
The text was updated successfully, but these errors were encountered: