Open GiamBoscaro opened 10 months ago
Hi, I can't seem to reproduce this. In order to help debug, can you please confirm:
What the server's cors config value is? e.g.:
curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
https://your-domain/v1/sys/config/cors
Check using developer tools in the web browser how the cross origin request is performed: a. Whether you see an OPTIONS request with the Origin header set? b. What the response headers to the OPTIONS request are? c. Whether the Origin header is set in the GET request to https://my-vault-url/status d. What the response headers to that GET request are?
Hi, I can't seem to reproduce this. In order to help debug, can you please confirm:
- What the server's cors config value is? e.g.:
curl \ -H "X-Vault-Token: $VAULT_TOKEN" \ https://your-domain/v1/sys/config/cors
I had already in my OP, but anyway here it is:
{
"allowed_headers": [
"Content-Type",
"X-Requested-With",
"X-Vault-AWS-IAM-Server-ID",
"X-Vault-MFA",
"X-Vault-No-Request-Forwarding",
"X-Vault-Wrap-Format",
"X-Vault-Wrap-TTL",
"X-Vault-Policy-Override",
"Authorization",
"X-Vault-Token"
],
"allowed_origins": [
"*"
],
"enabled": true
}
- Check using developer tools in the web browser how the cross origin request is performed: a. Whether you see an OPTIONS request with the Origin header set? b. What the response headers to the OPTIONS request are?
I do not see an OPTIONS request. But I do not see it also for all the others API call that I am making and that are not failing.
c. Whether the Origin header is set in the GET request to https://my-vault-url/status
The origin is set to https://my-website, but it makes sense since the API call is made from a website in a different domain from the Vault one.
d. What the response headers to that GET request are?
alt-svc: h3=":443"; ma=2592000
cache-control: no-store
content-length: 14
content-type: application/json
date: Tue, 05 Dec 2023 13:34:34 GMT
strict-transport-security: max-age=31536000; includeSubDomains
For sure I am missing these headers, that appear in the other API calls:
access-control-allow-credentials: true
access-control-allow-origin: https://my-website
Thanks for providing that information. One additional question, are you using any proxying when accessing Vault, including perhaps vault proxy or vault agent in proxy mode?
I am not using vault proxy or anything internal to Vault, but I am behind a company proxy. But I don't know if that could be the culprit because everything else is working.
Unfortunately I still can't reproduce this. I was thinking that perhaps the Origin
header wasn't getting forwarded to Vault, but I agree that it seems unlikely if you're experiencing no other CORS errors.
Can you check what headers are returned when you use curl to directly query Vault and supply an Origin
header? E.g.
curl --head -X GET -H 'Origin: http://example.com' -L https://your-vault-url/status
This is what I get from curl:
< HTTP/2 404
HTTP/2 404
< alt-svc: h3=":443"; ma=2592000
alt-svc: h3=":443"; ma=2592000
< cache-control: no-store
cache-control: no-store
< content-type: application/json
content-type: application/json
< date: Wed, 06 Dec 2023 06:55:42 GMT
date: Wed, 06 Dec 2023 06:55:42 GMT
< strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000; includeSubDomains
< content-length: 14
content-length: 14
One thing I have noticed is this: I have pocked around with the CORS settings, and changed the Wildcard to some URL that we need to be able to connect from. These are basically https://my-website.com. I was working then on Vault UI and I could not save some changes that I have made because I was getting a CORS error by my Vault UI itself. I needed to add https://my-vault to the Allowed Origins in the Vault CORS to make it work again. This means that CORS settings are actually working somehow, but not completely.
I will also be more explicit with my setup. I am using an Angular 13 application and connecting to different services in the same domain but different subdomain. Until now everything was working with CORS. I can connect to api.my-domain, platform.my-domain, something-else.my-domain without any problem. These are mostly Node.js and Python services. obviously with CORS origins set up correctly.The only CORS error that I get is from vault.my-domain for some reason.
Obvously since it is a CORS problem I am getting this only on my browser, so curl is working, http request from our backend are working, wget is working. It is just the api call from the browser that is not working.
This is what I get from curl:
< HTTP/2 404 HTTP/2 404 < alt-svc: h3=":443"; ma=2592000 alt-svc: h3=":443"; ma=2592000 < cache-control: no-store cache-control: no-store < content-type: application/json content-type: application/json < date: Wed, 06 Dec 2023 06:55:42 GMT date: Wed, 06 Dec 2023 06:55:42 GMT < strict-transport-security: max-age=31536000; includeSubDomains strict-transport-security: max-age=31536000; includeSubDomains < content-length: 14 content-length: 14
This is what I would expect if either:
Origin
header in the curl commandI would verify again what the server's CORS config value is:
curl \
-H "X-Vault-Token: $VAULT_TOKEN" \
https://your-vault-domain/v1/sys/config/cors
If you are trying to use a wildcard for the allowed_origins
value, note that it must be the only element in the array. I.e. you cannot do:
"allowed_origins": ["*", "example.com"]
Unfortunately without a minimal example that can reproduce this, I won't be able to track down what's causing your issue.
curl --head -X GET -H 'Origin: http://example.com' -L https://your-vault-url/status
Yes I was using the "*" alone, and I then switched to the list of our domains. I tried both and they're both not working. I have retried today with curl.
This works now:
curl -X GET -H 'Origin: http://localhost:4200' -L https://my-vault/status
but also this works without Origin:
curl -X GET -L https://my-vault/status
Then I tried again on Angular from localhost:4200 and I still get the error. Very confusing honestly. Angular is setting the headers correctly, I can see it on the browser console:
origin: http://localhost:4200
referer: http://localhost:4200/
Describe the bug I set the CORS Allowed Origins through the
sys/config/cors
API, but on my frontend I still get a CORS error.Current CORS config:
To Reproduce Run Vault and set the Allowed Origins with the
sys/config/cors
API:Try to do an API request from a browser to
https://my-vault-url/status
.Get an error:
Expected behavior Should not get a CORS error on the frontend
Environment:
vault status
): 1.15.2vault version
): 1.15.2Vault server configuration file(s):
Additional context I have tried to use the wildcard *, and also setting manually the origins. I does not work, neither from localhost nor from our staging environment.