set Access-Control-Allow-Origin header according to origin header

[irgb]

Feature

What did you expect to see?

It seems that traefik only support set Access-Control-Allow-Origin to a fixed value such as "Access-Control-Allow-Origin: *", "Access-Control-Allow-Origin: https://google.com" via traefik.frontend.headers.customResponseHeaders.

It would be better if we can set Access-Control-Allow-Origin to origin if origin satisfy requirements.
for example:

origin: http://domain1.google.com -> Access-Control-Allow-Origin: http://domain1.google.com
origin: http://domain2.google.com -> Access-Control-Allow-Origin: http://domain2.google.com

[mmatur]

#1292

[dtomcej]

@irgb I have a branch where I am working on creating CORS headers, but there is a fair bit of logic involved. Should have something up in the next few days.

[gheibia]

@dtomcej does this mean that when configured, Traefik returns not only the origin, but also "Vary: Origin" header?

[dtomcej]

@gheibia This issue does not implement caching headers, since that can easily be configured by the current customheaders configuration. The Vary header does not require any dynamic content from the request, AFAIK.

If it does, it would be a follow-up feature request IMO

[gheibia]

@dtomcej

Quoting mozilla's spec (mentioned in the PR):

If the server sends a response with an Access-Control-Allow-Origin value that is an explicit origin (rather than the "*" wildcard), then the response should also include a Vary response header with the value Origin — to indicate to browsers that server responses can differ based on the value of the Origin request header.

From that I assumed the Vary: Origin header goes hand-in-hand with the new behaviour where Traefik can be configured with a list of origins (in order to return the origin if there is a match) instead of a static value. However, I'd be happy to take that on after you're done with your PR.

[dtomcej]

@gheibia,

Good Catch on the Vary: Origin header section in that spec. I will update the PR to include it.

Traefik can be configured with a list of origins

I don't think that is how it will work.

From my research https://www.w3.org/TR/cors/#access-control-allow-origin-response-header, it would seem that only 3 options are available as a response:

by returning the value of the Origin request header, "*", or "null" in the response

I may be mis-reading the spec, but that's how I read it.

[gheibia]

No, you're right about how it should work. By list of origins I was referring to Traefik's to-be configuration. In other words, Traefik could have a set of whitelisted origins using which it determines whether it should return the Origin. For example, if the configuration lists out "https://abc.com" and "https://xyz.com" as trusted origins, then a request with "https://xyz.com" as its origin would cause Traefik to return:

Access-Control-Allow-Origin: https://xyz.com
Vary: Origin

Of course, if the configuration is null or *, then regardless of the origin header of the request, the server either adds nothing to the response header or adds Access-Control-Allow-Origin: * respectively.

[traefiker]

Closed by #3809.