-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No CORS Headers #14357
Comments
Hi, @kasonde is this issue still there? if not resolved, can I work on this |
@majjikishore007 I'm having this issue as well, running 4.3.9 locally. Checked with Postman. |
I think this problem is because of how koa/js handles requests with missing Origin header. I just opened a PullRequest for Koarjs/cors in order to fix the call for options handlers, even if Origin header is not sent. Follow req: https://www.rfc-editor.org/rfc/rfc6454#section-7.3 I Believie I'll fix this Koa/js Issue: After fixing it - If my Fix is right - I think we will need to check the default credentials true and allow with '*' as default. I am not sure if all request should have default credentials as true: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
In order to FIX
|
…trapi#14357 There was a bug that is fixed on koa/cors 3.4.2 version.
In order to prioritize security, I left credentials as true as default. This means that the api will not responde with ´*' , as default, despite the configuration is. Now, you guys have the possibility to set credentials as false and, even though origin is not being set on request header, you will see Access-Control-Allow-Origin as '*' as response. How to set Access-Control-Allow-Origin as '*' ?Set credentials as false on config/middlewares.js, call any API in order to retrive Access-Control-Allow-Origin as '*' as DEFAULT.
|
…aders-14357 Updating koa/cors to 3.4.2 in order to fix cors filter origin problem #14357
reopening as the fix was reverted in #14677 since it was a breaking change. |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/i-dont-see-the-cors-access-origin-headers-in-the-response-headers/30646/3 |
the vulnerability was discoved recently CVE-2023-49803(GHSA-qxrj-hx23-xp82) |
That vuln doesn't apply to us as we intentionally set the origin by default as |
@derrickmehaffy ah true, default cors middleware has "*" value. Is it possible to deactivate CORS completely, if one does not need it? e.g. calling strapi API from the server side (nextjs) and not from the browser. |
Possible yes if you needed to. Yes our default is overly permissive on the origin but we can't set the origin without knowing it and we don't. Users have to configure that when they deploy. |
Hello there, is this still a pending issue? Or is it fixed somewhere else? |
I currently have issues with this on 4.24.0, allowed origin header stays empty no matter what I change in the cors middleware config. 4.23.1 is unaffected though. |
@ExploHash +1, so damn annoying |
origin is always empty on same-site, only cross domain does the browser send that header |
I changed the koa cors version back to an earlier by setting an overrides entry in the package.json file, and then at least the empty origin access control header was gone, and I could set the missing header by Apache. Overriding empty header keys seems not to be a strength of Apache. |
Hmm previously no header was sent at all, so maybe it's just a symptom not the problem. All I know is that after upgrading I have cors errors and the header wasn't set. When I reverted back a version it worked again. |
I have the same problem, as far as I can tell. My frontend does an OPTIONS request, does not get any This is my error message in the browser: Strapi 4.24.3 on node.js 18.17.1 |
When you have no Access-Control-Header with empty value you can easily set the header by this Apache server config: HTTP RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} HTTPS # Proxy settings
ProxyPass / http://localhost:13370/
ProxyPassReverse / http://localhost:13370/
ProxyPreserveHost On
ProxyRequests Off
# Header settings
RequestHeader set X-Forwarded-Host %{HTTP_HOST}s
RequestHeader set X-Forwarded-Server %{HTTP_HOST}s
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
RequestHeader set X-Forwarded-For %{HTTP_X_FORWARDED_FOR}s
RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}s
RequestHeader set Host %{HTTP_HOST}s
RequestHeader set Upgrade %{HTTP_UPGRADE}s
RequestHeader set Connection "Upgrade"
# CORS headers
# Header set Access-Control-Allow-Origin "http://localhost:42000" "expr=-z %{req:Access-Control-Allow-Origin}"
Header set Access-Control-Allow-Origin "*" "expr=-z %{req:Access-Control-Allow-Origin}"
Header set Access-Control-Allow-Headers "Authorization" |
Bug report
Required System information
Describe the bug
There is no CORS headers when i request the api.
Steps to reproduce the behavior
Expected behavior
By default (from the documentation), there should be an "access-control-allow-origin : '*'" header.
Screenshots
The text was updated successfully, but these errors were encountered: