New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Isso Forces CORS Preflight but is unable to handle CORS Preflight requests #347

Open
OstlerDev opened this Issue Oct 10, 2017 · 8 comments

Comments

Projects
None yet
5 participants
@OstlerDev
Copy link

OstlerDev commented Oct 10, 2017

Hello!

I am attempting to use Isso in my project, but the way I am using it I have to communicate directly with the API built into Isso. I am currently running into an issue where if I attempt to add a comment using the /new api endpoint, the request either will return a CSRF error (if I omit the Content-Type header), or a 502 error (if I attempt to call it like I do normally).

The issue is that Isso does not respond to the CORS preflight request.

Normally, the workaround would be to preform a Simple Request using an XMLHttpRequest but if the Content-Type header is omitted (instead of being application/json) so that the request is compliant with being a "Simple Request", Isso throws a CSRF error since the Content-Type header is unset.

The way to fix this bug would be to respond properly to the CORS preflight request (by listening to an OPTIONS request being made to the /new api endpoint), or remove the requirement of adding the Content-Type header to allow it to be just a Simple Request.

I assume many have not run into this issue, as the CORS preflight request would not be sent if the user was on the same domain as the Isso server (since it would not be Cross Origin then).

Please let me know if you need any more information!

@posativ

This comment has been minimized.

Copy link
Owner

posativ commented Oct 18, 2017

Isso answers to CORS preflight requests: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L122.

Do you have a web proxy in use with Isso?

@OstlerDev

This comment has been minimized.

Copy link
Author

OstlerDev commented Oct 19, 2017

I believe I do have a web proxy in use as well, currently using Nginx.

@posativ

This comment has been minimized.

Copy link
Owner

posativ commented Oct 20, 2017

Please try without nginx for Isso and directly use Isso.

@posativ

This comment has been minimized.

Copy link
Owner

posativ commented Oct 20, 2017

Okay, I can see an exception on my services...

  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 884, in handle_one_response
    self.run_application()
  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 870, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/werkzeug/contrib/fixers.py", line 152, in __call__
    return self.app(environ, start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 119, in __call__
    return self.app(environ, start_response)
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 147, in __call__
    add_cors_headers("200 Ok", [("Content-Type", "text/plain")])
  File "/var/lib/isso/lib/python2.7/site-packages/isso/wsgi.py", line 144, in add_cors_headers
    return start_response(status, headers.to_list(), exc_info)
  File "/var/lib/isso/lib/python2.7/site-packages/gevent/pywsgi.py", line 799, in start_response
    raise UnicodeError("The status string must be a native string")
UnicodeError: The status string must be a native string
{'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTP_ACCEPT': '*/*',
 'HTTP_CONNECTION': 'close',
 'HTTP_HOST': 'posativ.org',
 'HTTP_USER_AGENT': 'curl/7.55.1',
 'HTTP_X_FORWARDED_FOR': '::ffff:127.0.0.1'',
 'HTTP_X_FORWARDED_PROTO': 'https',
 'HTTP_X_SCRIPT_NAME': '/isso/api',
 'PATH_INFO': '/count',
 'QUERY_STRING': '',
 'REMOTE_ADDR': '::ffff:127.0.0.1',
 'REMOTE_PORT': '41790',
 'REQUEST_METHOD': 'OPTIONS',
 'SCRIPT_NAME': '/isso/api',
 'SERVER_NAME': 'localhost',
 'SERVER_PORT': '7001',
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'SERVER_SOFTWARE': 'gevent/1.1 Python/2.7',
 'werkzeug.proxy_fix.orig_http_host': 'posativ.org',
 'werkzeug.proxy_fix.orig_remote_addr': '127.0.0.1',
 'werkzeug.proxy_fix.orig_wsgi_url_scheme': 'http',
 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x69b929f861e0>,
 'wsgi.input': <gevent.pywsgi.Input object at 0x69b923048328>,
 'wsgi.multiprocess': False,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 0)} failed with UnicodeError```
@NegativeDearc

This comment has been minimized.

Copy link

NegativeDearc commented Oct 22, 2017

Hello, I'm encountered this error also.

127.0.0.1 - - [2017-10-22 15:04:10] "OPTIONS /count HTTP/1.0" 500 161 0.000654
Traceback (most recent call last):
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 935, in handle_one_response
    self.run_application()
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 908, in run_application
    self.result = self.application(self.environ, self.start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/werkzeug/contrib/fixers.py", line 152, in __call__
    return self.app(environ, start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 119, in __call__
    return self.app(environ, start_response)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 147, in __call__
    add_cors_headers("200 Ok", [("Content-Type", "text/plain")])
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/isso/wsgi.py", line 144, in add_cors_headers
    return start_response(status, headers.to_list(), exc_info)
  File "/home/app/negativedearc.github.io/venv/local/lib/python2.7/site-packages/gevent/pywsgi.py", line 830, in start_response
    raise UnicodeError("The status string must be a native string")
UnicodeError: The status string must be a native string
Sun Oct 22 15:04:10 2017 {'REMOTE_PORT': '52242', 'HTTP_HOST': 'comment.kukumalu.cc', 'REMOTE_ADDR': '114.216.124.225', (hidden keys: 30)} failed with UnicodeError

And I updated my nginx file like below can solve this problem

server {
    listen         80;
    server_name    comment.kukumalu.cc;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;


        if ($request_method = 'OPTIONS') {
	        add_header 'Access-Control-Allow-Origin' 'http://www.kukumalu.cc';
	        add_header 'Access-Control-Allow-Methods' 'HEAD, GET, POST, PUT, DELETE';
	        add_header 'Access-Control-Allow-Credentials' 'true';
	        add_header 'Access-Control-Allow-Headers' 'Origin, Referer, Content-Type';

	        # Tell client that this pre-flight info is valid for 20 days
	   
	        add_header 'Access-Control-Max-Age' 1728000;
	        add_header 'Content-Type' 'text/plain; charset=utf-8';
	        add_header 'Content-Length' 0;
	        return 204;
        }
    }
}
@agdg

This comment has been minimized.

Copy link
Contributor

agdg commented Oct 23, 2017

Hi,

you can fix it running:

ISSO_VIRTUALENV=/opt/isso/dev
sed -i 's|"200 Ok"|b"200 Ok"|g' $ISSO_VIRTUALENV/lib/python2.7/site-packages/isso/wsgi.py

Related: #297

@OstlerDev

This comment has been minimized.

Copy link
Author

OstlerDev commented Oct 23, 2017

I believe the issue might have been introduced by this commit: 0377c8b

It seems to remove the 200 response from the options request.

Still blank in the current version: https://github.com/posativ/isso/blob/master/isso/wsgi.py#L148

@hiliev

This comment has been minimized.

Copy link

hiliev commented Nov 29, 2017

My wsgi.py looks like this:

...
from werkzeug.wrappers import Response
...
if environ.get("REQUEST_METHOD") == "OPTIONS":
    #add_cors_headers(b"200 Ok", [("Content-Type", "text/plain")])
    #return []
    response = Response("Ok")
    return response(environ, add_cors_headers)

I don't remember where the replacement code comes from. It works from behind Nginx and the same isso instance serves two sites on different domains.

hiliev pushed a commit to hiliev/isso that referenced this issue Nov 29, 2017

Hristo Iliev
Fix for posativ#297 and posativ#347
Let Werkzeug produce a proper status string.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment