search

cyu / rack-cors

Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.
MIT License
3.26k stars 263 forks source link

My CORS setup blocks bad urls but not POSTMAN requests #245

Closed Ju777 closed 1 year ago

Ju777 commented 1 year ago

Hello,

when I launch a GET http request from POSTMAN, I can receive data that I would like to be not reachable.

Here is my CORS set up :

in cors.rb : 

Rails.application.config.middleware.insert_before 0, Rack::Cors do
    allow do    
      origins "http://localhost:3001"

      resource '*',
               headers: :any,
               methods: %i[get post put patch delete options head],
               expose: %w[Authorization Uid]
    end
  end

in application.rb : config.middleware.use Rack::Cors is the first middleware.

POSTMAN request : I add the header Origin: "http://localhost:3010" supposed to be unauthorized, but receives data.

What did I miss ?

Thanks.

jwworth commented 1 year ago

From the Rails Guides:

config.middleware.use(new_middleware, args) - Adds the new middleware at the bottom of the middleware stack. config.middleware.insert_before(existing_middleware, new_middleware, args) - Adds the new middleware before the specified existing middleware in the middleware stack.

Your cors.rb and application.rb configurations seem to be in conflict. What changes when you remove the application config?

After you do that, what's the output of the following command?

bin/rails middleware
Ju777 commented 1 year ago

Hello Jake :) .

Something that may have an importance : if I write some puts "something" statements in cors.rb, I can see the outputs in the server logs. I guess it means that the cors.rb file is running.

Answers to your advices : 'What changes when you remove the application config ?' : it's same. I still get data with POSTMAN.

'What's the output of bin/rails middleware ?

use Rack::Cors
use ActionDispatch::HostAuthorization
use Rack::Sendfile
use ActionDispatch::Static
use ActionDispatch::Executor
use ActionDispatch::ServerTiming
use Rack::Runtime
use ActionDispatch::RequestId
use ActionDispatch::RemoteIp
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::ActionableExceptions
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use Warden::Manager
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use Warden::JWTAuth::Middleware
use Rack::Attack
run Rails7ApiBoilerplate::Application.routes
cyu commented 1 year ago

The middleware doesn't actually prevent the response from the server. The middleware returns the response from on browser requests too, but the browser blocks the response from reaching the client.

The middleware does encode whether it passed of failed the CORS check though, and stores it in the request env object.

This middleware (and CORS in general) isn't a suitable solution to completely block data access, since the Origin: header can easily be spoofed (as you have easily done via Postman).