New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
policy-engine/src/main: Set basic CORS headers #196
Conversation
906508b
to
8c8067f
Compare
because CORS support moved out of actix-web into its own crate in actix-web 1.0.2. Pushed v906508b -> 8c8067f to pivot to actix-cors ^0.2.0. |
That also turns up here, but I'm not clear enough on the Rust to understand what they're saying there yet. My example looks a lot like the actix-cors docs to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The used versions of actix-cors
and actix-web
are incompatible. Please see my suggestions which at least make it compile and run. In addition to that we should also have a test to verify these changes.
Not sure how to set this up. Would I plug into here somehow? Looks like at the moment all that has access to is the body of the response, not the full HTTP response with headers and a body. |
I think you forgot to push the changes to the I played with the tests locally and would like to add a commit on top of your changes if that's fine with you. The tests will still be broken but we can continue to work on it together based on my commit. |
openshift/release#6935 is in flight to make this easier to do, and impossible to forget (because the required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do not we have any tests with this PR?
I've been working on getting tests in for this as well as figuring out if this is working correctly in this branch: https://github.com/steveeJ-forks/openshift-cincinnati/tree/forks/wking/cors However, I can't get the policy-engine to respond to or return any CORS related headers. I suggest we wait for #195 to land which bumps all actix crates to their latest versions. The latest versions have better documentation and we might have more luck with that. On a side note, I don't fully understand the issue any client would be seeing without this PR. Cincinnati doesn't block any requests for me, no matter what |
CORS is a client-side mechanism. More details in the MDN page linked from my initial PR post, but basically this is Cincy telling browsers "it's ok if a page outside of api.openshift.com to make Cincy requests. That's neither a XSS attack nor malicious data exfiltration.". |
+1 , basically with this PR we are open to CORS requests from clients which would fail otherwise. AFAIK the typical example is our web browsers which does not allow CORS requests by default. |
And should |
s/request/response/, but sure, why not. Seems academic until we have other endpoints to talk about? I don't care one way or the other about having the header on metrics responses, and don't know if the global setup I have here will affect them or not, since they're on a different port. |
/retest Please review the full test history for this PR and help us cut down flakes. |
8 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest probe timeout was increased |
Lets /hold it for > 4hrs to make it recreate a namespace |
Needs rebase due to Cargo.toml changes |
Rebased around #371 and #360, but still overshooting the SLOs. I think I'm probably holding the CORS library wrong...
|
Still seeing readiness probe failures /retest |
Timeline:
14 seconds for process in the container to start:
So readiness probe doesn't account for the time for binary in the container to start. Its weird that it takes that to start though |
Allow simple requests [1] by including the: Access-Control-Allow-Origin: * header, so folks can write cross-origin web applications that query our Cincinnati server. We're going to be building the response anyway, so we don't even get denial-of-service protection by blocking cross-origin requests for Cincy data. Also set Access-Control-Allow-Methods for good measure [2], although we do not need to support preflight requests. Implementation is based on [3] (CORS support moved out of actix-web into its own crate in actix-web 1.0.2 [4]). [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods [3]: https://docs.rs/actix-cors/0.5.4/actix_cors/ [4]: https://docs.rs/crate/actix-web/1.0.2/source/CHANGES.md
Generated with: $ cargo update using: $ cargo --version cargo 1.47.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold cancel |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: PratikMahajan, vrutkovs, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Allow simple requests by including the:
header, so folks can write cross-origin web applications that query our Cincinnati server. We're going to be building the response anyway, so we don't even get denial-of-service protection by blocking cross-origin requests for Cincy data.
Also set
Access-Control-Allow-Methods
for good measure, although we do not need to support preflight requests.Implementation is based on these docs.