Isso Forces CORS Preflight but is unable to handle CORS Preflight requests

[OstlerDev]

Hello!

I am attempting to use Isso in my project, but the way I am using it I have to communicate directly with the API built into Isso. I am currently running into an issue where if I attempt to add a comment using the /new api endpoint, the request either will return a CSRF error (if I omit the Content-Type header), or a 502 error (if I attempt to call it like I do normally).

The issue is that Isso does not respond to the CORS preflight request.

Normally, the workaround would be to preform a Simple Request using an XMLHttpRequest but if the Content-Type header is omitted (instead of being application/json) so that the request is compliant with being a "Simple Request", Isso throws a CSRF error since the Content-Type header is unset.

The way to fix this bug would be to respond properly to the CORS preflight request (by listening to an OPTIONS request being made to the /new api endpoint), or remove the requirement of adding the Content-Type header to allow it to be just a Simple Request.

I assume many have not run into this issue, as the CORS preflight request would not be sent if the user was on the same domain as the Isso server (since it would not be Cross Origin then).

Please let me know if you need any more information!

[posativ]

Isso answers to CORS preflight requests: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L122.

Do you have a web proxy in use with Isso?

[OstlerDev]

I believe I do have a web proxy in use as well, currently using Nginx.

[posativ]

Please try without nginx for Isso and directly use Isso.

[posativ]

Okay, I can see an exception on my services...

  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 884, in handle_one_response
    self.run_application()
  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 870, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/werkzeug/contrib/fixers.py", line 152, in __call__
    return self.app(environ, start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 119, in __call__
    return self.app(environ, start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 147, in __call__
    add_cors_headers("200 Ok", [("Content-Type", "text/plain")])
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 144, in add_cors_headers
    return start_response(status, headers.to_list(), exc_info)
  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 799, in start_response
    raise UnicodeError("The status string must be a native string")
UnicodeError: The status string must be a native string
{'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTP_ACCEPT': '*/*',
 'HTTP_CONNECTION': 'close',
 'HTTP_HOST': 'posativ.org',
 'HTTP_USER_AGENT': 'curl/7.55.1',
 'HTTP_X_FORWARDED_FOR': '::ffff:127.0.0.1'',
 'HTTP_X_FORWARDED_PROTO': 'https',
 'HTTP_X_SCRIPT_NAME': '/isso/api',
 'PATH_INFO': '/count',
 'QUERY_STRING': '',
 'REMOTE_ADDR': '::ffff:127.0.0.1',
 'REMOTE_PORT': '41790',
 'REQUEST_METHOD': 'OPTIONS',
 'SCRIPT_NAME': '/isso/api',
 'SERVER_NAME': 'localhost',
 'SERVER_PORT': '7001',
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'SERVER_SOFTWARE': 'gevent/1.1 Python/2.7',
 'werkzeug.proxy_fix.orig_http_host': 'posativ.org',
 'werkzeug.proxy_fix.orig_remote_addr': '127.0.0.1',
 'werkzeug.proxy_fix.orig_wsgi_url_scheme': 'http',
 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x69b929f861e0>,
 'wsgi.input': <gevent.pywsgi.Input object at 0x69b923048328>,
 'wsgi.multiprocess': False,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 0)} failed with UnicodeError```

[NegativeDearc]

Hello, I'm encountered this error also.

127.0.0.1 - - [2017-10-22 15:04:10] "OPTIONS /count HTTP/1.0" 500 161 0.000654
Traceback (most recent call last):
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 935, in handle_one_response
    self.run_application()
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 908, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/werkzeug/contrib/fixers.py", line 152, in __call__
    return self.app(environ, start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 119, in __call__
    return self.app(environ, start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 147, in __call__
    add_cors_headers("200 Ok", [("Content-Type", "text/plain")])
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 144, in add_cors_headers
    return start_response(status, headers.to_list(), exc_info)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 830, in start_response
    raise UnicodeError("The status string must be a native string")
UnicodeError: The status string must be a native string
Sun Oct 22 15:04:10 2017 {'REMOTE_PORT': '52242', 'HTTP_HOST': 'comment.kukumalu.cc', 'REMOTE_ADDR': '114.216.124.225', (hidden keys: 30)} failed with UnicodeError

And I updated my nginx file like below can solve this problem

server {
    listen         80;
    server_name    comment.kukumalu.cc;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;


        if ($request_method = 'OPTIONS') {
	        add_header 'Access-Control-Allow-Origin' 'http://www.kukumalu.cc';
	        add_header 'Access-Control-Allow-Methods' 'HEAD, GET, POST, PUT, DELETE';
	        add_header 'Access-Control-Allow-Credentials' 'true';
	        add_header 'Access-Control-Allow-Headers' 'Origin, Referer, Content-Type';

	        # Tell client that this pre-flight info is valid for 20 days
	   
	        add_header 'Access-Control-Max-Age' 1728000;
	        add_header 'Content-Type' 'text/plain; charset=utf-8';
	        add_header 'Content-Length' 0;
	        return 204;
        }
    }
}

[antonio-guillen]

Hi,

you can fix it running:

ISSO_VIRTUALENV=/opt/isso/dev
sed -i 's|"200 Ok"|b"200 Ok"|g' $ISSO_VIRTUALENV/lib/python2.7/site-packages/isso/wsgi.py

Related: #297

[OstlerDev]

I believe the issue might have been introduced by this commit: 0377c8b

It seems to remove the 200 response from the options request.

Still blank in the current version: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L148

[hiliev]

My wsgi.py looks like this:

...
from werkzeug.wrappers import Response
...
if environ.get("REQUEST_METHOD") == "OPTIONS":
    #add_cors_headers(b"200 Ok", [("Content-Type", "text/plain")])
    #return []
    response = Response("Ok")
    return response(environ, add_cors_headers)

I don't remember where the replacement code comes from. It works from behind Nginx and the same isso instance serves two sites on different domains.