Rework access control origin configuration

docs/content/middlewares/headers.md

@@ -197,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -213,22 +213,24 @@ spec:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
     accessControlMaxAge: 100
     addVaryHeader: "true"
 ```
 
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
   "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
   "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@@ -237,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@@ -246,7 +248,7 @@ labels:
 [http.middlewares]
   [http.middlewares.testHeader.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
 ```
@@ -260,7 +262,9 @@ http:
           - GET
           - OPTIONS
           - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
         accessControlMaxAge: 100
         addVaryHeader: true
 ```
@@ -295,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a
 
 The  `accessControlAllowMethods` indicates which methods can be used during requests.
 
-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`
 
-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
 
-- `origin-list-or-null`
-- `*`
-- `null`
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
 ### `accessControlExposeHeaders`
 
@@ -314,7 +326,7 @@ The `accessControlMaxAge` indicates how long a preflight request can be cached.
 
 ### `addVaryHeader`
 
-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
 
 ### `allowedHosts` 
 

docs/content/migration/v2.md

@@ -100,3 +100,11 @@ rules:
 ```
 
 After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -34,6 +34,7 @@
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
 - "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
@@ -134,6 +135,7 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.followredirects=true"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -147,6 +147,7 @@
         accessControlAllowHeaders = ["foobar", "foobar"]
         accessControlAllowMethods = ["foobar", "foobar"]
         accessControlAllowOrigin = "foobar"
+        accessControlAllowOriginList = ["foobar", "foobar"]
         accessControlExposeHeaders = ["foobar", "foobar"]
         accessControlMaxAge = 42
         addVaryHeader = true

docs/content/reference/dynamic-configuration/file.yaml

@@ -170,6 +170,9 @@ http:
         - foobar
         - foobar
         accessControlAllowOrigin: foobar
+        accessControlAllowOriginList:
+        - foobar
+        - foobar
         accessControlExposeHeaders:
         - foobar
         - foobar

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -41,6 +41,8 @@
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowOrigin` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlMaxAge` | `42` |

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -34,6 +34,7 @@
 "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
 "traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
@@ -132,6 +133,7 @@
 "traefik.http.routers.router1.tls.domains[1].main": "foobar",
 "traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.options": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.followredirects": "true",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",

integration/fixtures/headers/cors.toml

@@ -28,7 +28,7 @@
 [http.middlewares]
   [http.middlewares.cors.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
 

pkg/config/dynamic/fixtures/sample.toml

@@ -367,6 +367,7 @@
         accessControlAllowHeaders = ["foobar", "foobar"]
         accessControlAllowMethods = ["foobar", "foobar"]
         accessControlAllowOrigin = "foobar"
+        accessControlAllowOriginList = ["foobar", "foobar"]
         accessControlExposeHeaders = ["foobar", "foobar"]
         accessControlMaxAge = 42
         addVaryHeader = true

pkg/config/dynamic/middlewares.go

@@ -158,7 +158,9 @@ type Headers struct {
 	// AccessControlAllowMethods must be used in response to a preflight request with Access-Control-Request-Method set.
 	AccessControlAllowMethods []string `json:"accessControlAllowMethods,omitempty" toml:"accessControlAllowMethods,omitempty" yaml:"accessControlAllowMethods,omitempty"`
 	// AccessControlAllowOrigin Can be "origin-list-or-null" or "*". From (https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
-	AccessControlAllowOrigin string `json:"accessControlAllowOrigin,omitempty" toml:"accessControlAllowOrigin,omitempty" yaml:"accessControlAllowOrigin,omitempty"`
+	AccessControlAllowOrigin string `json:"accessControlAllowOrigin,omitempty" toml:"accessControlAllowOrigin,omitempty" yaml:"accessControlAllowOrigin,omitempty"` // Deprecated
+	// AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*".
+	AccessControlAllowOriginList []string `json:"accessControlAllowOriginList,omitempty" toml:"accessControlAllowOriginList,omitempty" yaml:"accessControlAllowOriginList,omitempty"`
 	// AccessControlExposeHeaders sets valid headers for the response.
 	AccessControlExposeHeaders []string `json:"accessControlExposeHeaders,omitempty" toml:"accessControlExposeHeaders,omitempty" yaml:"accessControlExposeHeaders,omitempty"`
 	// AccessControlMaxAge sets the time that a preflight request may be cached.
@@ -200,7 +202,7 @@ func (h *Headers) HasCorsHeadersDefined() bool {
 	return h != nil && (h.AccessControlAllowCredentials ||
 		len(h.AccessControlAllowHeaders) != 0 ||
 		len(h.AccessControlAllowMethods) != 0 ||
-		h.AccessControlAllowOrigin != "" ||
+		len(h.AccessControlAllowOriginList) != 0 ||
 		len(h.AccessControlExposeHeaders) != 0 ||
 		h.AccessControlMaxAge != 0 ||
 		h.AddVaryHeader)

pkg/config/label/label_test.go

@@ -47,6 +47,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolallowheaders":                   "X-foobar, X-fiibar",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolallowmethods":                   "GET, PUT",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolalloworigin":                    "foobar",
+		"traefik.http.middlewares.Middleware8.headers.accesscontrolalloworiginList":                "foobar, fiibar",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolexposeheaders":                  "X-foobar, X-fiibar",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolmaxage":                         "200",
 		"traefik.http.middlewares.Middleware8.headers.addvaryheader":                               "true",
@@ -516,6 +517,10 @@ func TestDecodeConfiguration(t *testing.T) {
 							"PUT",
 						},
 						AccessControlAllowOrigin: "foobar",
+						AccessControlAllowOriginList: []string{
+							"foobar",
+							"fiibar",
+						},
 						AccessControlExposeHeaders: []string{
 							"X-foobar",
 							"X-fiibar",
@@ -964,6 +969,10 @@ func TestEncodeConfiguration(t *testing.T) {
 							"PUT",
 						},
 						AccessControlAllowOrigin: "foobar",
+						AccessControlAllowOriginList: []string{
+							"foobar",
+							"fiibar",
+						},
 						AccessControlExposeHeaders: []string{
 							"X-foobar",
 							"X-fiibar",
@@ -1118,6 +1127,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders":                   "X-foobar, X-fiibar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods":                   "GET, PUT",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOrigin":                    "foobar",
+		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowOriginList":                "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlExposeHeaders":                  "X-foobar, X-fiibar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlMaxAge":                         "200",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AddVaryHeader":                               "true",