search

zio / zio-http

A next-generation Scala framework for building scalable, correct, and efficient HTTP clients and servers
https://zio.dev/zio-http
Apache License 2.0
787 stars 396 forks source link

CorsConfig 'allowedHeaders' parameter generates an 'Access-Control-Expose-Headers' header #2941

Closed wiki1000 closed 1 month ago

wiki1000 commented 3 months ago

Describe the bug in 3.0.0-RC9 CorsConfig 'allowedHeaders' parameter generates an Access-Control-Expose-Headers header in Http responses in lieu of the 'Access-Control-Allow-Headers' header.

To Reproduce Steps to reproduce the behaviour:

the CorsConfig is : 

val config: CorsConfig =
        CorsConfig(
            allowedOrigin = { case _ => Some(AccessControlAllowOrigin.All)}, 
            allowedMethods = AccessControlAllowMethods.All,
            allowedHeaders = AccessControlAllowHeaders.All,
        )

and after 

val routes = Routes(
        Method.GET / Root -> handler ( {
                println("get")
                Response.text("foo")
        } ),
        Method.OPTIONS / Root -> handler (
            (req: Request) => {
                println("option")

                Response.text("")  
                //.addHeader(AccessControlAllowHeaders.All)   // uncomment to solve the pb
            } )
    ) @@ cors(config)

def process = zio.http.Server
        .serve(routes)
        .provide(zio.http.Server.default)

The browser triggers a CORS error, which disappears if the header Access-Control-Allow-Headers is added manually as proposed here in the example with the commented "addHeader" line.

The following html is provided to a Chrome Browser activating automatically CORS with the "Origin: null" header: 

<html>
<div
     hx-get="http://localhost:8080"
     hx-trigger="load"
     hx-swap="outerHTML">
    <p>Wait...</p>
</html>

Expected behaviour

The specified OPTIONS request response shall return among the response headers: `access-control-allow-headers: *

and not `access-control-expose-headers: *

Desktop (please complete the following information):

Additional context The absence of access-control-allow-headers header is visible in the chrome console, and also in a curl request activating CORS:

curl  -v  -X OPTIONS --header "Origin: null"  http://localhost:8080
< HTTP/1.1 200 OK
< content-type: text/plain
< access-control-allow-origin: *
< access-control-allow-methods: *
< access-control-allow-credentials: true
< access-control-expose-headers: *
< date: Wed, 03 Jul 2024 19:01:14 GMT
< content-length: 0
jgoday commented 3 months ago

Hi @wiki1000, I was trying to reproduce your issue (successfully) and created following PR #2943.

jdegoes commented 2 months ago

/bounty $75

CC @jgoday

algora-pbc[bot] commented 2 months ago

💎 $75 bounty • ZIO

Steps to solve:

  1. Start working: Comment /attempt #2941 with your implementation plan
  2. Submit work: Create a pull request including /claim #2941 in the PR body to claim the bounty
  3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to zio/zio-http!

Add a bounty • Share on socials

Attempt Started (GMT+0) Solution
🟢 @jgoday Jul 30, 2024, 7:31:33 PM #2943
jgoday commented 2 months ago

/attempt #2941 The problem seems to be that the options routes, which handle the cors preflight request, were being added last, so the corsHeaders was not being correctly called

algora-pbc[bot] commented 2 months ago

💡 @jgoday submitted a pull request that claims the bounty. You can visit your bounty board to reward.

algora-pbc[bot] commented 1 month ago

@jgoday: You've been awarded a $75 bounty by ZIO! 👉 Complete your Algora onboarding to collect the bounty.