search

apache / openwhisk

Apache OpenWhisk is an open source serverless cloud platform
https://openwhisk.apache.org/
Apache License 2.0
6.47k stars 1.16k forks source link

Default CORS handling doesn't handle headers well #2653

Closed akrabat closed 6 years ago

akrabat commented 7 years ago

Given this web action:

<?php
function main(array $args) : array
{
    return [
        'hello' => 'world'
    ];
}

This JS call in a browser will fail:

<!doctype html>
<html>
    <head>
    </head>
    <body>
        <h1>Test</h1>

        <pre id="data">
        </pre>

        <script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>
        <script type="text/javascript">
            $(document).ready(function() {
                jQuery.ajax({
                    url: "https://openwhisk.eu-gb.bluemix.net/api/v1/web/19FT_dev/default/cors.json",
                    type: "GET",
                    headers: {
                        'X-Clacks-Overhead': 'GNU Terry Pratchett'
                    },
                    contentType: 'application/json; charset=utf-8',
                    success: function(resultData) {
                        console.log(resultData)
                        $('#data').html("Action result is: " + JSON.stringify(resultData))
                    },
                    error : function(jqXHR, textStatus, errorThrown) {
                        console.log("Error: " + textStatus)
                        console.log(errorThrown)
                        console.log(jqXHR)
                        $('#data').html("Error")
                    },
                    timeout: 120000,
                });
            });
        </script>
    </body>
    </html>

With an error message in the Chrome console of:

XMLHttpRequest cannot load https://openwhisk.eu-gb.bluemix.net/api/v1/web/19FT_dev/default/cors.json. Request header field X-Clacks-Overhead is not allowed by Access-Control-Allow-Headers in preflight response.

This is because defaultCorsResponse sends back Access-Control-Allow-Headers of Authorization and Content-Type only.

What should happen is that Access-Control-Allow-Headers should be whatever was sent in Access-Control-Request-Headers.

csantanapr commented 7 years ago

I think this is important for the OPTIONS preflight, it looks like client can specify the headers that the valid requests are intended to send.

csantanapr commented 7 years ago

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Request-Headers

The Access-Control-Request-Headers header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made.