You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?
Preflight checklist
Describe the bug
We are using oathkeeper and kratos services.
When oathkeeper CORS config looks as follows:
then the request
produces the following output in the headers:
oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).
This is quite problematic, as it breaks CORS requests issued by the browser: https://crashtest-security.com/multiple-values-access-control-allow-origin/
"While the header does support multiple origins, browsers usually do not. "
Reproducing the bug
curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'
Relevant log output
No response
Relevant configuration
Version
0.40.2
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered: