search

wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

CORS Configurations: Access Control Allow Methods Not Working Properly #2770

Open SavinduDimal opened 6 months ago

SavinduDimal commented 6 months ago

Description

Even though a http method is removed from the Access Control Allowed Methods list for an API from the publisher portal, that method can be successfully invoked from the developer portal.

It was observed Access-Control-Allow-Methods: header is empty for the following request.

curl 'https://localhost:8244/t/wso2.com/pizzashack/1.0.0/menu' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: abc,authorization' -H 'Referer: https://localhost:9444/' -H 'Origin: https://localhost:9444' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-site'
HTTP/1.1 200 OK
Origin: https://localhost:9444
Accept: */*
Access-Control-Allow-Origin: https://localhost:9444
Access-Control-Allow-Methods: 
Referer: https://localhost:9444/
Sec-Fetch-Dest: empty
Sec-Fetch-Site: same-site
Host: localhost:8244
Accept-Encoding: gzip, deflate, br
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction,apikey,Internal-Key,abc,Authorization,ApiKey
Sec-Fetch-Mode: cors
activityid: fca119fa-5245-4598-8305-a41d633f6028
Access-Control-Expose-Headers: 
Access-Control-Request-Method: GET
Access-Control-Request-Headers: abc,authorization
Accept-Language: en-US,en;q=0.5
Date: Mon, 01 Apr 2024 06:36:36 GMT
Transfer-Encoding: chunked
Connection: keep-alive

Steps to Reproduce

  1. Deploy the sample API from publisher portal
  2. Enable CORS configuration for the API from Runtime Configurations
  3. Remove GET from Access Control Allowed Methods
  4. Save and deploy the API
  5. Login to Developer portal and invoke an API resource with GET method

Affected Component

APIM

Version

4.3.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

SavinduDimal commented 6 months ago

Please note that this can be reproduced in APIM 4.2.0, 4.1.0, 4.0.0 and 3.2.0 packs as well.