krakendio / krakend-cors Goto Github PK
View Code? Open in Web Editor NEWAdds CORS support to the KrakenD framework
Home Page: https://krakend.io
License: Apache License 2.0
Adds CORS support to the KrakenD framework
Home Page: https://krakend.io
License: Apache License 2.0
I have a gateway in front of services and I set the gateway CORS policy as described in the documentation.
extra_config:
github_com/devopsfaith/krakend-cors:
allow_origins:
- "......"
allow_methods:
- GET
- POST
- DELETE
- OPTIONS
- HEAD
allow_headers:
- Accept
- Authorization
- Content-Type
- Accept-Version
expose_headers:
- Link
allow_credentials: false
max_age: 5m
Nonetheless, one of the subservices the gateway is in front of also has a CORS middleware and hence, sets the different headers. I would expect the gateway to take precedence and overwrite the headers with its own configuration instead of adding more headers, leading to the following issue: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed
I'm sorry, but this documentation is horrible..
First of all there are many mistakes here:
Configuration Example
"extra_config": {
"github_com/devopsfaith/krakend-cors": {
"allow_origins": [ "http://foobar.com" ],
"allow_methods": [ "POST", "GET"],
"max_age": "12h"
}
}
or leave the defaults (the defaults allows all origins):
"extra_config": {
github_com/devopsfaith/krakend-metrics": {
"allow_origins": []
}
}
krakend metrics?? Missing "?? And also.. this does not work.. what more do i have to do?
I saw gin tests, but it didnt even use extra config from json.. How do i use this middleware????
I tried everything nothing works..
I'm trying to get CORS to work when withCredentials
is true in my XMLHttpRequest
, but for any origin. If I use "allow_origins": []
or "allow_origins": ["*"]
in my "github_com/devopsfaith/krakend-cors"
config, CORS will only work if withCredentials is false.
I can get CORS to work when withCredentials
is true only if I specifically whitelist all allowed origins.
The problem is that with "allow_origins": []
or "allow_origins": ["*"]
, Access-Control-Allow-Origin
comes back as "*". I need to have to origin of the request echoed back in the Access-Control-Allow-Origin
header instead.
Is there a way to specify that behavior?
"github_com/devopsfaith/krakend-cors": {
"allow_origins": ["http://localhost:8080"], // Or [] or ["*"] - which only changes the limitation or error I get
"allow_headers": ["Origin", "Authorization", "Content-Type", "Accep\
t", "X-Auth-Token"],
"expose_headers": ["Content-Type", "Content-Length"],
"allow_credentials": true
}
First of all, I am not sure if this is actually an issue with krakend but even if it isn't, then this might be something that is missing from the docs.
I have an SPA that should access a microservice via krakend with the help of CORS. I followed the guide in https://www.krakend.io/docs/service-settings/cors/ and set up CORS like this:
"github_com/devopsfaith/krakend-cors": {
"allow_origins": [
"http://localhost:4200/",
"https://my-spa-app.mydomain.com/",
"https://my-spa-app.testing.mydomain.com/",
"https://my-spa-app.staging.mydomain.com/"
],
"expose_headers": [
"Content-Length",
"Content-Type"
],
"max_age": "5m",
"allow_headers": [
"Accept-Language",
"Authorization"
],
"allow_credentials": true
}
I tried different variations and whatever I try, the gateway never responds with correct CORS response headers (Access-Control-Allow-Origin etc.). I tested this via the mentioned SPA as well as via curl.
This might be related to krakend/krakend-ce#137.
Update the gin adapter to use rs/cors
(like mux) instead of gin-contrib/cors.v1
Will fix behaviours like #3
The middleware generates preflight responses to OPTIONS requests for any path (regardless of that path being configured).
This seems to be due to the fact that the middleware is not considering the endpoint configuration and is reacting to requests prior to the router.
This doesn't seem correct to me since it suggests to clients that they can expect responses to certain paths where they wouldn't get any.
Since krakend doesn't support other types of OPTIONS requests, this middleware could wrap the CORS handler once more and only forward OPTIONS requests for paths that are configured.
In the future, supported methods could also be identified this way and CORS settings could be made endpoint-specific.
Is this intentional, or should it refer to github.com/krakendio/krakend-cors/v2
Because of gin-contrib/cors#37 we need to set manually AllowAllOrigins
to true if the AllowOrigins
is empty or has a wildcard.
I already deploy Kraken D image 0.9.0 (with Docker command) for a while, everything work as well and properly.
But when i try to upgrade Krakend D image to version 1.0.0 with the same configuration and testing. I found CORS problem occurred.
What should i do for workaround or investigate this problem ?
This is my CORS configuration
"github_com/devopsfaith/krakend-cors": {
"allow_origins": [
"*"
],
"allow_headers": [
"Content-Length",
"Authorization",
"Content-Type"
],
"expose_headers": [
"Content-Length"
]
}
When I use https://github.com/devopsfaith/krakend-config-migrator to migrate my configuration for v2, it changed the github_com/devopsfaith/krakend-cors
namespace into security/cors
, and this probably broke the CORS functionality because this line https://github.com/devopsfaith/krakend-cors/blob/9e903f85f6681d4651442372baca4c2e4aedf0b7/cors.go#L10 still refers to the old namespace.
Happy to contribute to this, but I wonder if this also happened to other Lura opensource plugins too in the wake of recent v2 release?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.