search

amberframework / amber

A Crystal web framework that makes building applications fast, simple, and enjoyable. Get started with quick prototyping, less bugs, and blazing fast performance.
https://amberframework.org
MIT License
2.57k stars 206 forks source link

If the origin header doesn’t exist, the CORS pipe should ignore it and not validate against the allowed list. #1224

Closed samholst closed 4 years ago

samholst commented 4 years ago

Description

When making a GET request from the frontend, the Amber CORS pipe will block the request.

  pipeline :api do
    plug Amber::Pipe::PoweredByAmber.new
    plug Amber::Pipe::Error.new
    plug Amber::Pipe::Logger.new
    plug Amber::Pipe::Session.new
    plug Amber::Pipe::CORS.new(origins: ["*", %r(), "http://localhost:3000", "http://localhost:8080"])
  end

Steps to Reproduce

  1. Open Firefox browser (version 79.0 64-bit)
  2. Load http://localhost:3000
  3. Make a GET request from JavaScript frontend
  4. Will be blocked due to CORS

Expected behavior: [What you expect to happen]

If the origin header doesn’t exist, the CORS pipe should ignore it and not validate against the allowed list.

Actual behavior: [What actually happens]

Is validated and request failed using for example a GET request coming from the frontend to the API pipeline.

Reproduces how often: [What percentage of the time does it reproduce?]

100%

Versions

Version 0.34.0 of Amber and Crystal

Additional Information

As something else (I could be implementing it wrong), using http://localhost:8080 (npm server) and requesting a GET endpoint in the API pipeline on http://localhost:3000 (amber server) produces a missing allow origin error on the frontend. In the controller's action, I have

response.headers.add("Access-Control-Allow-Origin", "*")

which I believe should allow the request, but doesn't seem to?

eliasjpr commented 4 years ago

Fixed with #1225