search

microsoft / reverse-proxy

A toolkit for developing high-performance HTTP reverse proxy applications.
https://microsoft.github.io/reverse-proxy
MIT License
8.52k stars 836 forks source link

Query Regarding CORS Setup at API Gateway and Targeted Endpoint #2155

Closed mrmyroll2 closed 1 year ago

mrmyroll2 commented 1 year ago

I have encountered an issue regarding the Cross-Origin Resource Sharing (CORS) setup in an API Gateway. Although I have configured CORS in the API Gateway's Program.cs file, it appears that the CORS setup at the targeted endpoint is taking precedence, causing the API Gateway's CORS configuration to be ignored.

I would like to confirm whether this behavior is expected or if there might be an issue with my implementation. Ideally, I would expect the CORS setup at the API Gateway level to override any CORS configurations at the targeted endpoint, ensuring consistent CORS behavior across all requests.

Could you please provide clarification on whether the CORS setup in the targeted endpoint should supersede the CORS configuration at the API Gateway? If this is the intended behavior, I would appreciate any guidance on how to address this situation and ensure consistent CORS handling throughout the system.

Thank you for your assistance and insight. I look forward to your response.

Tratcher commented 1 year ago

Can you show us how you're setting up CORS in the gateway and the app?

Since CORS is mainly about setting response headers it's a question what happens when both try to set the same headers.

mrmyroll2 commented 1 year ago

Gateway's Program.cs

var allowOrigins = "_allowOrigins";

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddCors(options => {
  options.AddPolicy(allowOrigins, policy => {
    policy
      .WithOrigins("https://*.example.com")
      .SetIsOriginAllowedToAllowWildcardSubdomains()
      .AllowAnyHeader()
      .WithMethods("GET", "POST")
      .AllowCredentials();
  });
});

builder.Services.AddReverseProxy()
    .LoadFromMemory(YarpConfig.GetRouteConfigs(), YarpConfig.GetClusterConfigs());

var app = builder.Build();

app.UseCors(allowOrigins);
app.MapReverseProxy();

app.Run();

Endpoint's Program.cs

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddControllers();

var app = builder.Build();

// Accidentally left the CORS setup enabled in the endpoint
app.UseCors(x => x
.AllowAnyMethod()
.AllowAnyHeader()
.SetIsOriginAllowed(origin => true)
.AllowCredentials());

app.MapControllers();

app.Run();

To prioritize the CORS configuration of the gateway, we need to disable the CORS setup in the endpoint's Program.cs.

benjaminpetit commented 1 year ago

I think it makes sense that the CORS header set on the endpoint takes precedence on the one setup by the gateway, but I can see the arguments that it should be the other way around...

I guess you could remove the headers coming from the endpoint to use the one from the gateway?

mrmyroll2 commented 1 year ago

After reviewing the yarp documentation on CORS, we discovered that we neglected to include the policy name in the 'CorsPolicy'. We apologize for this oversight and believe that adding the policy name will rectify the issue.