CORS config does not seem to be working #643
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#643
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Below is configured in
config.yml
:access-control-allow-origin
header is empty when the origins are added, regardless of the number of origins entered.Attached is a screenshot of the header, the
/api/v1/info
endpoint has been attempted to produce this screenshot.Is the CORS config working properly?
It should definitely be working. It appears to work on try.
Does anything change if you change the
maxage
parameter to something other than 0?Does it work if you comment out the origins bit? (Should return a default of
*
)The openresty header in your screenshot is weird since I'm not using openresty. Is that a proxy you're using?
I have changed the maxage to something more than 0:
Attached are the headers - request is now made against the API endpoint, no reverse proxies involved this time.
I'm using v0.14.1 of the backend, which seems to be the latest available currently.
Yes, the openresty header field was on my end -- I'm using openresty on my reverse proxy server.
Does it work with the
*
origin, as default? This is what I get for try which only has the default configured:Hi, yes it does work with
*
origin -- but for a non-default configuration, this seems to fail. I'm current mitigating this by adding the headers manually on my reverse proxy.Okay that definitely seems broken. I'll try to figure out why, but maybe it's a bug in the middleware I'm using for this.
I did some digging and think it is working as intended. You need to provide the full url, including protocol and port. If you then visit the api from the same origin, you get a "good"
access-control-allow-origin
header back, if not you'll get an empty one. You can see this with curl:This configuration
gets me this: (emtpy
Access-Control-Allow-Origin
header)Whereas this
gives me a correct header back:
I've updated the docs to clarify this.
Closing as resolved, feel free to reopen if you have any issues.