Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS - header in the response must not be the wildcard '*' when the request's credentials mode is 'include #179

Open
cameronbraid opened this issue May 12, 2021 · 3 comments
Open

CORS - header in the response must not be the wildcard '*' when the request's credentials mode is 'include #179

cameronbraid opened this issue May 12, 2021 · 3 comments
Labels
bug Something isn't working no-stale No stale waiting-upstream Waiting upstream fixes or answers

Comments

@cameronbraid
Copy link

cameronbraid commented May 12, 2021
edited
Loading

Error reporter in chrome devtools

Access to CSS stylesheet at 'https://..' from origin 'https://...' has been blocked by CORS policy:
 The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard
  '*' when the request's credentials mode is 'include'.
16:11:31.942

So I think the CORS support needs to change from sending * and instead send the origin of the request in the Access-Control-Allow-Origin header
@cameronbraid cameronbraid added the bug Something isn't working label May 12, 2021
@cameronbraid cameronbraid changed the title COORS COORS - header in the response must not be the wildcard '*' when the request's credentials mode is 'include May 12, 2021
@cameronbraid
Copy link
Author

cameronbraid commented May 12, 2021
edited
Loading

raised an issue upstream go-chi/cors#17

@cameronbraid
Copy link
Author

cameronbraid commented May 12, 2021
edited
Loading

I found a workaround

allowOrigins: [https://*,http://*]
allowCredentials: true

As when you use allowAll: true this causes chi to use * as the header, where as adding a match like this makes it send the request's origin header

@oxyno-zeta
Copy link
Owner

Hello,

Thanks for this cross issue.
As written in the doc, this feature is based on the go-chi/cors library. I will wait for a response on your other issue to see if I can do anything on S3-Proxy.

I must admit that I've never seen that case.

Regards,

Oxyno-zeta

@oxyno-zeta oxyno-zeta added the no-stale No stale label May 12, 2021
@oxyno-zeta oxyno-zeta changed the title COORS - header in the response must not be the wildcard '*' when the request's credentials mode is 'include CORS - header in the response must not be the wildcard '*' when the request's credentials mode is 'include May 12, 2021
@oxyno-zeta oxyno-zeta added the waiting-upstream Waiting upstream fixes or answers label Jul 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working no-stale No stale waiting-upstream Waiting upstream fixes or answers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cameronbraid @oxyno-zeta