Comments (17)
I am not sure what you are asking. CORS is not restricted by ports, but only host names. Also, your browser will not send CORS request headers if the Origin is the same. And the fairing will allow non CORS request to go through.
Can you send me the request and response headers?
from rocket_cors.
Yes. I will make it clearer in the documentation that "opaque" origins cannot be matched exactly.
I will also fix the error message. The inner value for the enum variant shouldn't be null
See #64
from rocket_cors.
An origin is defined as a combination of URI scheme, host name, and port number.
But localhost is an exception. At least chrome seems to not treat different ports on localhost as different origins! (At least on my computer, it shares cookies across different ports of localhost.)
Btw, I found out that the same-origin request (even from the same port!!) only gets rejected (by the cors fairing) in Chrome, not in Firefox or IE11.
Is this because Chrome also sends an Origin header for same-origin requests, but the other two don't?
Request headers in Firefox (where it works both on my laptop (server on localhost:9000 and origin localhost:4000 because of browsersync api proxy, and it also works as a same-origin request on https://mydomain.com):
Host: localhost:4000
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:4000/?
Content-Type: application/json
Content-Length: 41
Cookie: io=bIqg_2eZDGU8LVfyAAAE
Connection: keep-alive
Firefox headers for same-origin request with origin https://mydomain.com:
Host: mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mydomain.com/
content-type: application/json
Content-Length: 41
Connection: keep-alive
Chrome headers for localhost:4000:
Request URL:http://localhost:4000/api/v1/login
Request Method:POST
Status Code:400 Bad Request
Remote Address:[::1]:4000
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
connection:close
content-length:16
content-type:application/json
date:Sat, 06 Jan 2018 12:29:14 GMT
server:Rocket
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.9,de;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:41
Content-Type:application/json
Cookie:io=4RnyCjJaaYVpcySyAAAC
Host:localhost:4000
Origin:http://localhost:4000
Pragma:no-cache
Referer:http://localhost:4000/?
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Chrome headers for same-origin request with origin https://mydomain.com:
Request URL:https://mydomain.com/api/v1/login
Request Method:POST
Status Code:400 Bad Request (from ServiceWorker)
Remote Address:xxx.xxx.xxx.202:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Connection:keep-alive
Content-Length:16
Content-Type:application/json
Date:Sat, 06 Jan 2018 12:04:00 GMT
Server:nginx/1.13.1
Request Headers
Provisional headers are shown
accept:application/json
content-type:application/json
Origin:https://mydomain.com
Referer:https://mydomain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Request URL:https://mydomain.com/api/v1/login
Request Method:POST
Status Code:400 Bad Request
Remote Address:xxx.xxx.xxx.202:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Connection:keep-alive
Content-Length:16
Content-Type:application/json
Date:Sat, 06 Jan 2018 12:04:00 GMT
Server:nginx/1.13.1
Request Headers
view source
accept:application/json
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.9,de;q=0.8
Cache-Control:no-cache
Connection:keep-alive
Content-Length:41
content-type:application/json
Host:mydomain.com
Origin:https://mydomain.com
Pragma:no-cache
Referer:https://mydomain.com/
User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
See, it sets the Origin header. It is a same-origin request but the cors fairing still rejects it:
INFO rocket::rocket - POST /api/v1/login application/json:
ERROR _ - CORS Error: Origin is not allowed to request
INFO _ - Matched: GET /cors/<status>
INFO _ - Outcome: Failure
WARN _ - Responding with 403 Forbidden catcher.
INFO webserver - "\"403: forbidden\""
INFO _ - Response succeeded.
Note: I have this 403 handler:
#[error(403)]
fn forbidden(_req: &Request) -> Res<()> {
err("403: forbidden")
}
So it seems like the cors fairing assumes that when an Origin header is present, it must be a CORS request, but that assumption isn't necessarily true, because Chrome also sends the Origin header for same-origin requests.
from rocket_cors.
So it seems like the cors fairing assumes that when an Origin header is present, it must be a CORS request, but that assumption isn't necessarily true, because Chrome also sends the Origin header for same-origin requests.
Then Chrome is really misbehaving, because the presence of the Origin
header pretty much means it's a CORS request.
Can you try adding your localhost address to the list of allowed origins?
from rocket_cors.
It is not misbehaving:
According to RFC 6454 - The Web Origin Concept - the presence of Origin is actually legal for any HTTP request, including same-origin requests:
http://tools.ietf.org/html/rfc6454#section-7.3
"The user agent MAY include an Origin header field in any HTTP request."
Adding localhost as allowed origin is not enough, it should work on all the production servers too, without having to specify the domain of the production server as allowed origin.
Can't the cors fairing check if Origin
!= Host
? :)
As you can see above, Chrome sends:
Host:localhost:4000
Origin:http://localhost:4000
and
Host:mydomain.com
Origin:https://mydomain.com
So from this the cors fairing can see that it is a same-origin request.
from rocket_cors.
Sure, I don't have the time to do this now. Could you raise a PR for this? Otherwise you might have to wait for it.
from rocket_cors.
The problem is: The Host
does not specify a port, so from the Host
alone it can't know if the ports are the same, so it could still be a CORS request on the same host with a different port. Hm...
Btw, is there a way to allow all ports from a given Origin to do CORS requests with AllowedOrigins::some()
?
It would be useful for localhost, e.g. AllowedOrigins::some("localhost:*")
.
from rocket_cors.
I can update the library to allow automatic CORS validation when Host == Origin
.
For what you are asking, I would have to redo parts of the library. The list is currently populated by HashSet<Url>
, but I am guessing a regex approach might be useful. I'd think about it.
from rocket_cors.
For what you are asking, I would have to redo parts of the library. The list is currently populated by HashSet, but I am guessing a regex approach might be useful. I'd think about it.
There are more usecases for this. For example I have a webserver running on localhost which is supposed to only take requests from a firefox extension so the allowed origin should be moz-extension://*
.
from rocket_cors.
I'm working on refactoring (and breaking the API compatibility) to support Regex and other more esoteric use cases (primarily with non-standard schemas such as moz-extension
) in #59.
That PR might not be "it" which brings the support but it's the first step.
from rocket_cors.
#62 now adds support for Regex. Please let me know if this covers your use cases.
from rocket_cors.
@lawliet89 I had time to try it out now but regex doesn't seem to match for me? (maybe it has to do with me using the odd moz-extension://
protocol in Origin?)
ActivityWatch/aw-server-rust#31 and look at the src/endpoints/cors.rs file
It would also be nice with some examples and tests for the regex code.
Another thing unrelated to this issue is that static strings are required for the origins. I have the port for my webserver configurable to it will depend on what the user sets in a config file so I need to set exact cors-origin dynamically while rocket_cors only support &str which is static. I solved this by explicitly leaking the string which works and works fine, but it is not a very nice way to do it.
let root_url : &'static str = Box::leak(format!("http://127.0.0.1:{}", config.port).into_boxed_str());
let allowed_origins = AllowedOrigins::some_exact(&[root_url]);
from rocket_cors.
#63 should fix the validation issue. I have also added tests for the Opaque
origins.
I will add more documentation closer to "release" time.
Another thing unrelated to this issue is that static strings are required for the origins. I have the port for my webserver configurable to it will depend on what the user sets in a config file so I need to set exact cors-origin dynamically while rocket_cors only support &str which is static. I solved this by explicitly leaking the string which works and works fine, but it is not a very nice way to do it.
I have modified the signature of AllowedOrigins::some
to take in different lifetimes for both parameters.
The issue you had before was that I let the compiler elide the anonymous lifetime of the arguments and it determined that the anonymous lifetime was 'static
based on your first argument.
Edit: Added some documentation for the regex matches. There is an issue with the latest version of Clippy so the docs on the Github pages is not updated. You can see the docs by running cargo doc
Edit 2: I've done a beta release and added Changelog with migration information.
from rocket_cors.
@lawliet89 Awesome, will try it out tonight!
from rocket_cors.
Works pretty well now!
The only annoyance I have is that I get an OpaqueAllowedOrigin("null")
with "moz-extension://6b1794a0-5ae6-4443-aef9-7755717bb180"
and "chrome-extension://nglaklhklhcoonedhgnpgddginnjdadi"
if I have it in exact, but if I add it to regex it works fine?
from rocket_cors.
@lawliet89 Great, I think all my use-cases are covered now then. Thanks a lot for these changes!
from rocket_cors.
I am going to close this issue for now. The issue has gotten a bit off-topic. The initial use case is now covered by regex.
Please feel free to open new issues if you have any.
from rocket_cors.
Related Issues (20)
- Building on `stable` results in error HOT 5
- Rocket Cors & Headers HOT 1
- Fairing CORS fails preflight check HOT 1
- Build error with latest async-trait HOT 3
- No CORS headers (even running example) HOT 1
- Build error on Rust 1.33.0-nightly. HOT 2
- Upload Documentation to Github Pages using Github Actions HOT 6
- Add a builder pattern to CorsOptions HOT 2
- Hide Error: No matching routes for OPTIONS HOT 3
- `log` is ambiguous HOT 7
- Fairing working in local but not in remote server HOT 1
- Support for Rocket async branch HOT 4
- Cors Partially working HOT 4
- Support configuration from Rocket.toml HOT 2
- Define MSRV when Rocket 0.5 is released HOT 1
- Switch back Rocket dependency to crates.io when 0.5 is released HOT 5
- CORS gives an error when booting with the default settings and accessing with axios. HOT 2
- Compile on stable rust HOT 1
- Fixed Manuel Issue HOT 1
- the trait `Fairing` is not implemented for `Cors` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rocket_cors.