Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do Allowed Headers for CORS preflight requests work? #143

Open
bdon opened this issue Dec 20, 2024 · 2 comments
Open

How do Allowed Headers for CORS preflight requests work? #143

bdon opened this issue Dec 20, 2024 · 2 comments

Comments

@bdon
Copy link

bdon commented Dec 20, 2024

On this part of the docs: https://github.com/tigrisdata/tigris-os-docs/blob/main/docs/buckets/cors.md?plain=1#L73

For pre-flight requests, it compares the allowed headers with those specified
by the Access-Control-Request-Headers header.

The UI specifies Enter comma separated values. (Accept,Accept-Language,Authorization or *).

Are we expected to exhaustively specify all headers in the request like Accept,Origin,Pragma that the browser attaches automatically?

I am having trouble specifying an allowlist of headers with my UI setting to X-Custom-Header. You can see the repro page here: https://bdon.github.io/tigris-cors/ (repository: https://github.com/bdon/tigris-cors)

The second CORS request fails because it needs a preflight for the custom header X-Custom-Header.

It seems to work when the allowed headers are set to * in the UI.

(Maybe this is better as a forum support ticket instead of a docs issue)
@JigarJoshi
Copy link
Contributor

Hi @bdon

Yes the full list of headers is required. Here is a the cURL equivalent of your bucket's prefilght request

curl -v 'https://tigris-cors.protomaps.dev/blank.txt' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: x-custom-header' -H 'Referer: https://bdon.github.io/' -H 'Origin: https://bdon.github.io' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'Priority: u=4' -H 'TE: trailers'

Your bucket has cors setup to allow * origin and method, for header you have only x-custom-header allowed. So if you make this modify this preflight request to

 curl -v 'https://tigris-cors.protomaps.dev/blank.txt' -X OPTIONS   -H 'Origin: https://bdon.github.io'

It will serve the right CORS headers. Ofcourse you can't control yours or your user's browser to only send these headers. So you need to provide full set of headers that a typical browser will send. Maybe this will help https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending/

@bdon
Copy link
Author

bdon commented Dec 25, 2024

It could be better ergonomics if the invisible default was to include all the CORS-safelisted headers, though I understand it may also need to include some browser specific ones like Pragma so it is difficult to be exhaustive. In any case perhaps the docs could reflect the default allowlist being empty? (I think other S3 implementations have a default list, so the way Tigris works was surprising)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bdon @JigarJoshi