Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate cors headers when using accessControlAllowOrigin: origin-list-or-null #6014

Closed
helloIAmPau opened this issue Dec 12, 2019 · 1 comment
Closed

Duplicate cors headers when using accessControlAllowOrigin: origin-list-or-null #6014

helloIAmPau opened this issue Dec 12, 2019 · 1 comment
Labels
resolution/duplicate status/5-frozen-due-to-age

Comments

@helloIAmPau
Copy link

Do you want to request a feature or report a bug?

Bug

What did you do?

I've enabled the headers middleware in order to handle a cors issue.

This is my service configuration:

http:
  middlewares:
    cors:
      headers:
        accessControlAllowOrigin: "origin-list-or-null"
        accessControlAllowCredentials: true
        accessControlAllowHeaders:
          - 'X-CSRF-Token'
          - 'Content-Type'
          - 'Access-Control-Allow-Origin'

  services:
    api:
      loadBalancer:
        passHostHeader: false
        servers:
          - url: 'https://remote.server.url/'

  routers:
    api-web:
      entrypoints:
        - 'web'
      service: 'api'
      rule: 'Host(`api.localhost.com`)'
      middlewares:
        - 'cors'

When I request a resource to the API service it returns the Access-Control headers replicated.

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://app.localhost.com
Access-Control-Allow-Origin: http://app.localhost.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=ISO-8859-1
Date: Thu, 12 Dec 2019 13:54:07 GMT
Expires: 0
Pragma: no-cache
Server: Apache
Vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Content-Length: 469

This causes the following security error in chrome

Access to XMLHttpRequest at 'http://api.localhost.com/authservice/auth/login' from origin 'http://app.localhost.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'http://app.localhost.com, http://app.localhost.com', but only one is allowed.

Output of traefik version: (What version of Traefik are you using?)

/ # traefik version
Version:      2.0.5
Codename:     montdor
Go version:   go1.13.4
Built:        2019-11-14T18:11:01Z
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Traefik running in docker with arguments:

'--api.insecure=true --providers.docker=true --providers.file.watch=true --providers.file.filename=/routes.yml --global.sendAnonymousUsage=true --log.level="DEBUG" --accesslog=true --entryPoints.web.address=":80"'
@dduportal dduportal added area/middleware kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. and removed status/0-needs-triage labels Dec 12, 2019
@dduportal dduportal added this to issues in v2 via automation Dec 12, 2019
@dduportal
Copy link
Contributor

Hi ! It looks like this issue is a duplicate of #5567 , and should be fixed by #5996 :)

v2 automation moved this from issues to Done Dec 12, 2019
@dduportal dduportal removed this from Done in v2 Dec 12, 2019
@dduportal dduportal added resolution/duplicate and removed kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. labels Dec 12, 2019
@traefik traefik locked and limited conversation to collaborators Jan 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
resolution/duplicate status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@helloIAmPau @dduportal @traefiker