How to allow all ports from a given host (localhost)? about rocket_cors HOT 17 CLOSED

I am not sure what you are asking. CORS is not restricted by ports, but only host names. Also, your browser will not send CORS request headers if the Origin is the same. And the fairing will allow non CORS request to go through.

Can you send me the request and response headers?

from rocket_cors.

Yes. I will make it clearer in the documentation that "opaque" origins cannot be matched exactly.

I will also fix the error message. The inner value for the enum variant shouldn't be null

See #64

from rocket_cors.

An origin is defined as a combination of URI scheme, host name, and port number.

But localhost is an exception. At least chrome seems to not treat different ports on localhost as different origins! (At least on my computer, it shares cookies across different ports of localhost.)

Btw, I found out that the same-origin request (even from the same port!!) only gets rejected (by the cors fairing) in Chrome, not in Firefox or IE11.
Is this because Chrome also sends an Origin header for same-origin requests, but the other two don't?

Request headers in Firefox (where it works both on my laptop (server on localhost:9000 and origin localhost:4000 because of browsersync api proxy, and it also works as a same-origin request on https://mydomain.com):

Host: localhost:4000
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:4000/?
Content-Type: application/json
Content-Length: 41
Cookie: io=bIqg_2eZDGU8LVfyAAAE
Connection: keep-alive

Firefox headers for same-origin request with origin https://mydomain.com:

Host: mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mydomain.com/
content-type: application/json
Content-Length: 41
Connection: keep-alive

Chrome headers for localhost:4000:

Request URL:http://localhost:4000/api/v1/login
Request Method:POST
Status Code:400 Bad Request
Remote Address:[::1]:4000
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
connection:close
content-length:16
content-type:application/json
date:Sat, 06 Jan 2018 12:29:14 GMT
server:Rocket
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.9,de;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:41
Content-Type:application/json
Cookie:io=4RnyCjJaaYVpcySyAAAC
Host:localhost:4000
Origin:http://localhost:4000
Pragma:no-cache
Referer:http://localhost:4000/?
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Chrome headers for same-origin request with origin https://mydomain.com:

Request URL:https://mydomain.com/api/v1/login
Request Method:POST
Status Code:400 Bad Request (from ServiceWorker)
Remote Address:xxx.xxx.xxx.202:443
Referrer Policy:no-referrer-when-downgrade

Response Headers
view source
Connection:keep-alive
Content-Length:16
Content-Type:application/json
Date:Sat, 06 Jan 2018 12:04:00 GMT
Server:nginx/1.13.1

Request Headers
Provisional headers are shown
accept:application/json
content-type:application/json
Origin:https://mydomain.com
Referer:https://mydomain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36


Request URL:https://mydomain.com/api/v1/login
Request Method:POST
Status Code:400 Bad Request
Remote Address:xxx.xxx.xxx.202:443
Referrer Policy:no-referrer-when-downgrade

Response Headers
view source
Connection:keep-alive
Content-Length:16
Content-Type:application/json
Date:Sat, 06 Jan 2018 12:04:00 GMT
Server:nginx/1.13.1

Request Headers
view source
accept:application/json
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.9,de;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:41
content-type:application/json
Host:mydomain.com
Origin:https://mydomain.com
Pragma:no-cache
Referer:https://mydomain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

See, it sets the Origin header. It is a same-origin request but the cors fairing still rejects it:

INFO rocket::rocket - POST /api/v1/login application/json:
ERROR _ - CORS Error: Origin is not allowed to request
INFO _ - Matched: GET /cors/<status>
INFO _ - Outcome: Failure
WARN _ - Responding with 403 Forbidden catcher.
INFO webserver - "\"403: forbidden\""
INFO _ - Response succeeded.

Note: I have this 403 handler:

#[error(403)]
fn forbidden(_req: &Request) -> Res<()> {
	err("403: forbidden")
}

So it seems like the cors fairing assumes that when an Origin header is present, it must be a CORS request, but that assumption isn't necessarily true, because Chrome also sends the Origin header for same-origin requests.

from rocket_cors.

So it seems like the cors fairing assumes that when an Origin header is present, it must be a CORS request, but that assumption isn't necessarily true, because Chrome also sends the Origin header for same-origin requests.

Then Chrome is really misbehaving, because the presence of the Origin header pretty much means it's a CORS request.

Can you try adding your localhost address to the list of allowed origins?

from rocket_cors.

Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include an Origin header on same-origin requests.

It is not misbehaving:
According to RFC 6454 - The Web Origin Concept - the presence of Origin is actually legal for any HTTP request, including same-origin requests:

http://tools.ietf.org/html/rfc6454#section-7.3

"The user agent MAY include an Origin header field in any HTTP request."

Adding localhost as allowed origin is not enough, it should work on all the production servers too, without having to specify the domain of the production server as allowed origin.
Can't the cors fairing check if Origin != Host? :)

As you can see above, Chrome sends:

Host:localhost:4000
Origin:http://localhost:4000

and

Host:mydomain.com
Origin:https://mydomain.com

So from this the cors fairing can see that it is a same-origin request.

from rocket_cors.

Sure, I don't have the time to do this now. Could you raise a PR for this? Otherwise you might have to wait for it.

from rocket_cors.

The problem is: The Host does not specify a port, so from the Host alone it can't know if the ports are the same, so it could still be a CORS request on the same host with a different port. Hm...

Btw, is there a way to allow all ports from a given Origin to do CORS requests with AllowedOrigins::some()?
It would be useful for localhost, e.g. AllowedOrigins::some("localhost:*").

from rocket_cors.

I can update the library to allow automatic CORS validation when Host == Origin.

For what you are asking, I would have to redo parts of the library. The list is currently populated by HashSet<Url>, but I am guessing a regex approach might be useful. I'd think about it.

from rocket_cors.

For what you are asking, I would have to redo parts of the library. The list is currently populated by HashSet, but I am guessing a regex approach might be useful. I'd think about it.

There are more usecases for this. For example I have a webserver running on localhost which is supposed to only take requests from a firefox extension so the allowed origin should be moz-extension://*.

from rocket_cors.

I'm working on refactoring (and breaking the API compatibility) to support Regex and other more esoteric use cases (primarily with non-standard schemas such as moz-extension) in #59.

That PR might not be "it" which brings the support but it's the first step.

from rocket_cors.

#62 now adds support for Regex. Please let me know if this covers your use cases.

from rocket_cors.

@lawliet89 I had time to try it out now but regex doesn't seem to match for me? (maybe it has to do with me using the odd moz-extension:// protocol in Origin?)
ActivityWatch/aw-server-rust#31 and look at the src/endpoints/cors.rs file

It would also be nice with some examples and tests for the regex code.

Another thing unrelated to this issue is that static strings are required for the origins. I have the port for my webserver configurable to it will depend on what the user sets in a config file so I need to set exact cors-origin dynamically while rocket_cors only support &str which is static. I solved this by explicitly leaking the string which works and works fine, but it is not a very nice way to do it.

let root_url : &'static str = Box::leak(format!("http://127.0.0.1:{}", config.port).into_boxed_str());
let allowed_origins = AllowedOrigins::some_exact(&[root_url]);

from rocket_cors.

#63 should fix the validation issue. I have also added tests for the Opaque origins.

I will add more documentation closer to "release" time.

Another thing unrelated to this issue is that static strings are required for the origins. I have the port for my webserver configurable to it will depend on what the user sets in a config file so I need to set exact cors-origin dynamically while rocket_cors only support &str which is static. I solved this by explicitly leaking the string which works and works fine, but it is not a very nice way to do it.

I have modified the signature of AllowedOrigins::some to take in different lifetimes for both parameters.

The issue you had before was that I let the compiler elide the anonymous lifetime of the arguments and it determined that the anonymous lifetime was 'static based on your first argument.

Edit: Added some documentation for the regex matches. There is an issue with the latest version of Clippy so the docs on the Github pages is not updated. You can see the docs by running cargo doc

Edit 2: I've done a beta release and added Changelog with migration information.

from rocket_cors.

@lawliet89 Awesome, will try it out tonight!

from rocket_cors.

Works pretty well now!

The only annoyance I have is that I get an OpaqueAllowedOrigin("null") with "moz-extension://6b1794a0-5ae6-4443-aef9-7755717bb180" and "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi" if I have it in exact, but if I add it to regex it works fine?

from rocket_cors.

@lawliet89 Great, I think all my use-cases are covered now then. Thanks a lot for these changes!

from rocket_cors.

I am going to close this issue for now. The issue has gotten a bit off-topic. The initial use case is now covered by regex.

Please feel free to open new issues if you have any.

from rocket_cors.