Allow customisation of Access-Control-Allow-Headers

[ghost]

Steps to reproduce:

1. Expand Access-Control-Request-Headers: Origin, Content-Type, Accept in request with Authorization HTTP header.

What expected:

• Access-Control-Allow-Headers from response will contain Authorization as accepted HTTP header

What happened by fact:

• Access-Control-Allow-Headers from response doesn't contain Authorization HTTP header

Environment:

> rustc --version --verbose
rustc 1.18.0-nightly (bbdaad0dc 2017-04-14)
binary: rustc
commit-hash: bbdaad0dc8dc64e036ccee817f90a91876b32a9d
commit-date: 2017-04-14
host: x86_64-pc-windows-msvc
release: 1.18.0-nightly
LLVM version: 3.9

Server: jsonrpc-minihttp-server/7.0.0

Related info:

• HTTP Authentication: Basic and Digest Access Authentication

[ghost]

from Chrome's chrome://net-internals/#events:

719027: URL_REQUEST
http://localhost:1920/
Start Time: 2017-04-16 23:18:58.760

t=532210 [st=0] +REQUEST_ALIVE  [dt=7]
                 --> priority = "MEDIUM"
                 --> url = "http://localhost:1920/"
t=532210 [st=0]   +URL_REQUEST_DELEGATE  [dt=4]
t=532210 [st=0]      DELEGATE_INFO  [dt=4]
                     --> delegate_blocked_by = "Adblock Plus-Erweiterung"
t=532214 [st=4]   -URL_REQUEST_DELEGATE
t=532214 [st=4]   +URL_REQUEST_START_JOB  [dt=3]
                   --> load_flags = 34624 (DO_NOT_SAVE_COOKIES | DO_NOT_SEND_AUTH_DATA | DO_NOT_SEND_COOKIES | MAYBE_USER_GESTURE | VERIFY_EV_CERT)
                   --> method = "OPTIONS"
                   --> url = "http://localhost:1920/"
t=532214 [st=4]      URL_REQUEST_DELEGATE  [dt=0]
t=532214 [st=4]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=532214 [st=4]     +HTTP_STREAM_REQUEST  [dt=1]
t=532214 [st=4]        HTTP_STREAM_REQUEST_STARTED_JOB
                       --> source_dependency = 719029 (HTTP_STREAM_JOB)
t=532215 [st=5]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                       --> source_dependency = 719029 (HTTP_STREAM_JOB)
t=532215 [st=5]     -HTTP_STREAM_REQUEST
t=532215 [st=5]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=532215 [st=5]        HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                       --> OPTIONS / HTTP/1.1
                           Host: localhost:1920
                           Connection: keep-alive
                           Access-Control-Request-Method: POST
                           Origin: null
                           User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
                           Access-Control-Request-Headers: authorization,content-type
                           Accept: */*
                           Accept-Encoding: gzip, deflate, sdch, br
                           Accept-Language: en-US,en;q=0.8
t=532215 [st=5]     -HTTP_TRANSACTION_SEND_REQUEST
t=532215 [st=5]     +HTTP_TRANSACTION_READ_HEADERS  [dt=2]
t=532215 [st=5]        HTTP_STREAM_PARSER_READ_HEADERS  [dt=1]
t=532216 [st=6]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                       --> HTTP/1.1 200 OK
                           Server: jsonrpc-minihttp-server/7.0.0
                           Content-Length: 0
                           Date: Sun, 16 Apr 2017 23:18:58
                           Content-Type: application/json
                           Access-Control-Allow-Methods: OPTIONS, POST
                           Access-Control-Allow-Headers: Origin, Content-Type, Accept
                           Access-Control-Allow-Origin: null
                           Vary: Origin
                           Allow: OPTIONS, POST
                           Accept: application/json
t=532217 [st=7]     -HTTP_TRANSACTION_READ_HEADERS
t=532217 [st=7]      URL_REQUEST_DELEGATE  [dt=0]
t=532217 [st=7]   -URL_REQUEST_START_JOB
t=532217 [st=7]    URL_REQUEST_DELEGATE  [dt=0]
t=532217 [st=7]    HTTP_TRANSACTION_READ_BODY  [dt=0]
t=532217 [st=7] -REQUEST_ALIVE

[ghost]

In Chrome console stay - Fetch API cannot load http://localhost:1920/. Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

[debris]

@tomusdrw any ideas? :)

[tomusdrw]

RPC server doesn't really support Authorization so if you're using some kind of a proxy the proxy can alter response headers as well.

That said, Authorization is probably possible to implement using request_middleware so it may make sense to allow that header. I think the best solution would be to allow people to define Access-Control-Allow-Headers when configuring the server.

[tomusdrw]

I've renamed the issue accordingly.

[ghost]

@tomusdrw for all transport protocols or only for minihttp?

[tomusdrw]

I think it's only for minihttp and http (we try to keep the external API of ServerBuilder the same for both). Rest of the transports doesn't really have this issue.

[ghost]

Good, I will try to solve it.

[tomusdrw]

Awesome, thanks!

[MysticRyuujin]

So has there been any changes recently here? I know a few versions back I could add a Parity Custom Node in MEW/MyCrypto just fine however as of now (1.9.2) I'm no longer able to add Parity. See the linked issue above. Should I open a new issue as I'm guessing this isn't 100% related?

[tomusdrw]

@MysticRyuujin Can't tell if the issue is related without more detailed info. Are you sure the node is running with --jsonrpc-cors <frontend-domain>?

[MysticRyuujin]

@tomusdrw Nope, I was not running with --jsonrpc-cors configured. That fixed it 👍

[cmichi]

@tomusdrw I would like to implement this and AFAICT there is currently nobody working on the issue. Ok?

[tomusdrw]

@cmichi Correct, no one is working on this. I would also skip the minihttp part, we might be deprecating that soon unless someone is actually using it (note it doesn't even support transfer-encoding: chunked)

[cmichi]

This issue can be closed since #305 was merged.

[tomusdrw]

@cmichi Correct, thanks!