Skip to content

Commit

Permalink
fix(cors) set 'Vary: Origin' when ACAC is enabled
Browse files Browse the repository at this point in the history 
When Access-Control-Allow-Origin is not *, the cors plugin
normally sets `Vary: Origin`. In the case when the plugin sets
Access-Control-Allow-Credentials, `Vary: Origin` is missing.

When that happens, the browser is told to uses its cache even
when the origin is different and then CORS fails by rejecting the
non-matching origin.

From Kong#3765
  • Loading branch information
@marckhouzam @thibaultcha
marckhouzam authored and thibaultcha committed Oct 4, 2018
1 parent 2cdd07e commit acdd89d
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
1 change: 1 addition & 0 deletions kong/plugins/cors/handler.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ local function configure_credentials(ngx, conf)
if req_origin then
ngx.header["Access-Control-Allow-Origin"] = req_origin
ngx.header["Access-Control-Allow-Credentials"] = "true"
ngx.header["Vary"] = "Origin"
end
end
end
Expand Down
13 changes: 13 additions & 0 deletions spec/03-plugins/14-cors/01-access_spec.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("gives * wildcard when origins is empty", function()
Expand All @@ -182,6 +183,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("gives appropriate defaults when origin is explicitly set to *", function()
Expand All @@ -198,6 +200,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("accepts config options", function()
Expand All @@ -213,6 +216,7 @@ for _, strategy in helpers.each_strategy() do
assert.equal("23", res.headers["Access-Control-Max-Age"])
assert.equal("true", res.headers["Access-Control-Allow-Credentials"])
assert.equal("origin,type,accepts", res.headers["Access-Control-Allow-Headers"])
assert.equal("Origin", res.headers["Vary"])
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
end)

Expand Down Expand Up @@ -258,6 +262,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("accepts config options", function()
Expand All @@ -271,6 +276,7 @@ for _, strategy in helpers.each_strategy() do
assert.equal("example.com", res.headers["Access-Control-Allow-Origin"])
assert.equal("x-auth-token", res.headers["Access-Control-Expose-Headers"])
assert.equal("true", res.headers["Access-Control-Allow-Credentials"])
assert.equal("Origin", res.headers["Vary"])
assert.is_nil(res.headers["Access-Control-Allow-Methods"])
assert.is_nil(res.headers["Access-Control-Allow-Headers"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
Expand All @@ -291,6 +297,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("works with 40x responses returned by another plugin", function()
Expand All @@ -307,6 +314,7 @@ for _, strategy in helpers.each_strategy() do
assert.is_nil(res.headers["Access-Control-Expose-Headers"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Access-Control-Max-Age"])
assert.is_nil(res.headers["Vary"])
end)

it("sets CORS orgin based on origin host", function()
Expand All @@ -319,6 +327,7 @@ for _, strategy in helpers.each_strategy() do
})
assert.res_status(200, res)
assert.equal("http://www.example.com", res.headers["Access-Control-Allow-Origin"])
assert.equal("Origin", res.headers["Vary"])

local domains = {
["example.com"] = true,
Expand All @@ -339,6 +348,7 @@ for _, strategy in helpers.each_strategy() do
assert.res_status(200, res)
assert.equal(domains[domain] and domain or nil,
res.headers["Access-Control-Allow-Origin"])
assert.equal("Origin", res.headers["Vary"])
end
end)

Expand All @@ -365,6 +375,7 @@ for _, strategy in helpers.each_strategy() do
assert.res_status(200, res)
assert.equals("http://www.example.net", res.headers["Access-Control-Allow-Origin"])
assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
assert.equal("Origin", res.headers["Vary"])
end)

it("responds with the requested Origin (including port) when config.credentials=true", function()
Expand All @@ -378,6 +389,7 @@ for _, strategy in helpers.each_strategy() do
assert.res_status(200, res)
assert.equals("http://www.example.net:3000", res.headers["Access-Control-Allow-Origin"])
assert.equals("true", res.headers["Access-Control-Allow-Credentials"])
assert.equal("Origin", res.headers["Vary"])
end)

it("responds with * when config.credentials=false", function()
Expand All @@ -391,6 +403,7 @@ for _, strategy in helpers.each_strategy() do
assert.res_status(200, res)
assert.equals("*", res.headers["Access-Control-Allow-Origin"])
assert.is_nil(res.headers["Access-Control-Allow-Credentials"])
assert.is_nil(res.headers["Vary"])
end)
end)
end)
Expand Down

0 comments on commit acdd89d

Please sign in to comment.