CORS - allowing content-type on headers

Question

CORS - allowing content-type on headers

g-belmonte opened this issue 4 years ago · 6 comments

Greetings!

I've been dealing with an application that has different servers for the frontend and its API. Resgate is the entrypoint for the API, and I was trying to do some REST requests from the frontend, but having trouble when setting the header "Content-Type: application/json", because resgate's answer didn't have the header "Access-Control-Allow-Headers: content-type".
I added it to the code, and things started to work perfectly for me.

If you think this change might bring value to the project, here's the PR: #173

Answer 1 · 2020-08-31T14:44:43.000Z

I was solving this issue with @raphaelpereira, and I saw we both opened a PR for that.
(the other PR is #172)

Please, fell free to close one of them 😄

Answer 2 · 2020-09-05T15:04:17.000Z

Hi @g-belmonte and @raphaelpereira

Sorry for the slow response. Week has been mightily busy.

Great that you guys made it work! (and made me aware of the issue 😃 )

#172 (and #173) covers the most common case with Content-Type, but better to cover it completely.

Since request headers will have no side-effects with Resgate, and attempts to forge headers such as X-Forwarded-Host can easily be countered at the reverse proxy if some RES-service for some weird reason should depend on it. So.. yeah, I think it is safe to allow any headers.

But, with those changes, I actually made my own branch where the Access-Control-Request-Headers value is mirrored to the Access-Control-Allowed-Headers (I am not sure how well the browsers supports the *-wildcard, so mirroring is more safe).

https://github.com/resgateio/resgate/tree/feature/gh-171-cors-access-control-allow-headers

If you have the time, please try it out to see if it solves your issue.

Answer 3 · 2020-09-07T22:53:39.000Z

No worries, @jirenius! Actually, thanks for spending time taking a look at this issue. Time is a scarce resource 😃

Well, my fix worked until I had to do a request with authorization. Then I had to add Access-Control-Allow-Headers: authorization to the headers and I started to think "what other headers am I missing?"... so, I do think that mirroring the Access-Control-Request-Headers would be an easy way forward!
I'll go test your branch, and I'll be back soon with the results 😄

Answer 4 · 2020-09-08T00:21:03.000Z

And yes, your branch is working perfectly 😄 👍

Answer 5 · 2020-09-10T05:52:33.000Z

Great! Thanks for the help.

I'll have the branch merged to develop, and then release a patch version of Resgate instead of waiting for next minor release.

Answer 6 · 2020-09-10T05:58:04.000Z

Resolved in #174