Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oathkeeper duplicates CORS headers #1100

Open
4 of 6 tasks
kamilkloch opened this issue May 2, 2023 · 3 comments
Open
4 of 6 tasks

Oathkeeper duplicates CORS headers #1100

kamilkloch opened this issue May 2, 2023 · 3 comments
Labels
bug Something is not working.

Comments

@kamilkloch
Copy link

Preflight checklist

Describe the bug

We are using oathkeeper and kratos services.
When oathkeeper CORS config looks as follows:

cors:
  enabled: true
  allowed_origins:
    - "https://ui-admin.our-company.com"

then the request

curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'

produces the following output in the headers:

access-control-allow-credentials: true
access-control-allow-credentials: true
access-control-allow-origin: https://ui-admin.our-company.com
access-control-allow-origin: https://ui-admin.our-company.com
vary: Origin
vary: Origin

oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).

This is quite problematic, as it breaks CORS requests issued by the browser: https://crashtest-security.com/multiple-values-access-control-allow-origin/
"While the header does support multiple origins, browsers usually do not. "

Reproducing the bug

curl -v 'https://webapi-user.our-company.com/api/v1/datafeed/rollingbar?name=ADAUSD' -H 'origin: https://ui-admin.our-company.com'

Relevant log output

No response

Relevant configuration

cors:
  enabled: true
  allowed_origins:
    - "https://ui-admin.our-company.com"

Version

0.40.2

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response
@kamilkloch kamilkloch added the bug Something is not working. label May 2, 2023
@kamilkloch kamilkloch mentioned this issue May 2, 2023
Closed
6 tasks
@civilizeddev
Copy link

civilizeddev commented May 16, 2023
edited

I have experienced the same problem.

oathkeeper appends duplicate CORS headers to the response (in addition to CORS headers added by the underlying services).

@disambiguationuk
Copy link

This could be avoided if we could strip upstream headers, however there doesn't seem like there's a supported way to do this.

@aeneasr
Copy link
Member

aeneasr commented Aug 24, 2023
edited

Wouldn't the easier solution be to turn off the cors headers on the upstream, if oathkeeper handles them anyways, or vice versa (turn of in oathkeeper, turn on in upstream)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kamilkloch @aeneasr @disambiguationuk @civilizeddev