-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS Request same origin ignored if no other origin set #30698
Comments
/cc @sberyozkin (jwt,security) |
@yoadey Hi,
If you expect all requests from the same Origin then you should not enable the CORS filter as it is now strictly requires that a specific origin is configured. Having I think this issue is invalid |
If you reach that definitive conclusion, feel free to close the issue and add the |
@sberyozkin Hi, what other option do I have to prevent CORS requests? |
@yoadey CORS requests won't be coming from anywhere, you said in your application you have single origin calls only, so CORS protection is not necessary. If you expect Quarkus application be accessed from some 3rd party origins then these origins must be allowed. That said, perhaps we should relax a bit and do allow same host origins without any explicit configuration, so lets keep the issue open for now :-) |
@yoadey I can't promise the PR will be approved but I agree now that the same origin check should not be pre-conditioned by the 3rd party origin configuration |
@yoadey PR is opened but like I said no guarantee it will be merged, for now, adding the same origin urls to the config will do |
Hi, I think this issue is pretty relevant because the migration guide tells us:
What do you think ? I think the PR is welcome. |
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.201.0` -> `^0.203.0`](https://renovatebot.com/diffs/npm/flow-bin/0.201.0/0.203.1) | | [com.rometools:rome](http://rometools.com) ([source](https://github.com/rometools/rome)) | compile | minor | `2.0.0` -> `2.1.0` | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | minor | `42.5.4` -> `42.6.0` | | [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.34.0` -> `2.35.0` | | [org.apache.maven.plugins:maven-resources-plugin](https://maven.apache.org/plugins/) | build | patch | `3.3.0` -> `3.3.1` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.4.Final` -> `2.16.6.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.4.Final` -> `2.16.6.Final` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.203.1`](flow/flow-bin@0c16b26...5e0645d) [Compare Source](flow/flow-bin@0c16b26...5e0645d) ### [`v0.203.0`](flow/flow-bin@861f798...0c16b26) [Compare Source](flow/flow-bin@861f798...0c16b26) ### [`v0.202.1`](flow/flow-bin@2b48bba...861f798) [Compare Source](flow/flow-bin@2b48bba...861f798) ### [`v0.202.0`](flow/flow-bin@86aea9c...2b48bba) [Compare Source](flow/flow-bin@86aea9c...2b48bba) </details> <details> <summary>rometools/rome</summary> ### [`v2.1.0`](https://github.com/rometools/rome/releases/tag/2.1.0) [Compare Source](rometools/rome@2.0.0...2.1.0) <!-- Release notes generated using configuration in .github/release.yml at 2.1.0 --> #### What's Changed ##### ⭐ New Features - Downgrade Java from version 11 to 8 by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#642 - Add support for GraalVM native images by [@​artembilan](https://github.com/artembilan) in rometools/rome#636 ##### 🔨 Dependency Upgrades - Bump maven-compiler-plugin from 3.10.1 to 3.11.0 by [@​dependabot](https://github.com/dependabot) in rometools/rome#635 ##### 🧹 Cleanup - Remove unused config files by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#632 - Polish GitHub workflows by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#633 - Polish code by [@​antoniosanct](https://github.com/antoniosanct) in rometools/rome#631 ##### ✔ Other Changes - Update configuration for automatically generated release notes by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#634 #### New Contributors - [@​artembilan](https://github.com/artembilan) made their first contribution in rometools/rome#636 **Full Changelog**: rometools/rome@2.0.0...2.1.0 </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.6.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4260-2023-03-17-153434--0400) ##### Changed fix: use PhantomReferences instead of `Obejct.finalize()` to track Connection leaks [MR #​2847](pgjdbc/pgjdbc#2847) The change replaces all uses of Object.finalize with PhantomReferences. The leaked resources (Connections) are tracked in a helper thread that is active as long as there are connections in use. By default, the thread keeps running for 30 seconds after all the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property. refactor:(loom) replace the usages of synchronized with ReentrantLock [MR #​2635](pgjdbc/pgjdbc#2635) Fixes [Issue #​1951](pgjdbc/pgjdbc#1951) </details> <details> <summary>diffplug/spotless</summary> ### [`v2.35.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2350---2023-02-10) ##### Added - CleanThat Java Refactorer. ([#​1560](diffplug/spotless#1560)) - Introduce `LazyArgLogger` to allow for lazy evaluation of log messages in slf4j logging. ([#​1565](diffplug/spotless#1565)) ##### Fixed - Allow multiple instances of the same npm-based formatter to be used by separating their `node_modules` directories. ([#​1565](diffplug/spotless#1565)) - `ktfmt` default style uses correct continuation indent. ([#​1562](diffplug/spotless#1562)) ##### Changes - Bump default `ktfmt` version to latest `0.42` -> `0.43` ([#​1561](diffplug/spotless#1561)) - Bump default `jackson` version to latest `2.14.1` -> `2.14.2` ([#​1536](diffplug/spotless#1536)) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.6.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.6.Final) [Compare Source](quarkusio/quarkus@2.16.5.Final...2.16.6.Final) ##### Complete changelog - [#​32319](quarkusio/quarkus#32319) - \[2.16] Revert io.netty.noUnsafe change - [#​32302](quarkusio/quarkus#32302) - Qute - fix validation of expressions with the "cdi" namespace - [#​32253](quarkusio/quarkus#32253) - (2.16) Upgrade to graphql-java 19.4 - [#​32223](quarkusio/quarkus#32223) - (2.16) Upgrade wildfly-elytron to 1.20.3.Final - [#​32110](quarkusio/quarkus#32110) - Prevent splitting of cookie header values when using AWS Lambda - [#​32107](quarkusio/quarkus#32107) - Fix Podman detection on Windows - [#​32106](quarkusio/quarkus#32106) - Native building with container: Podman not detected on Windows - [#​32093](quarkusio/quarkus#32093) - Re-use current ApplicationModel for JaCoCo reports when testing Gradle projects - [#​32090](quarkusio/quarkus#32090) - K8s moved its registry - [#​32088](quarkusio/quarkus#32088) - Remove the session cookie if ID token verification failed - [#​32082](quarkusio/quarkus#32082) - Add missing quote in Hibernate Reactive with Panache guide - [#​32079](quarkusio/quarkus#32079) - Quarkus JaCoCo extension fails to start Gradle daemon - [#​32058](quarkusio/quarkus#32058) - Allow use of null in REST Client request body - [#​32047](quarkusio/quarkus#32047) - rest client reactive throws npe on null request body - [#​32041](quarkusio/quarkus#32041) - K8s is moving it's images - [#​32037](quarkusio/quarkus#32037) - Set-Cookie Header is Split when using OIDC together with AWS Lambda - [#​32015](quarkusio/quarkus#32015) - Support repeatable Incomings annotation for reactive messaging - [#​32002](quarkusio/quarkus#32002) - Quarkus: Kafka Event Processor with 2 `@incoming` annotations throws Null Pointer SRMSG00212 - [#​31984](quarkusio/quarkus#31984) - Only substitute OctetKeyPair\* classes when on the classpath - [#​31978](quarkusio/quarkus#31978) - Remove quarkus.hibernate-orm.database.generation=drop-and-create from Hibernate ORM codestart - [#​31930](quarkusio/quarkus#31930) - Native build fails for JWT - [#​31893](quarkusio/quarkus#31893) - Docker or Podman required for tests since 3.0.0.Alpha6 - [#​31857](quarkusio/quarkus#31857) - Container runtime detection cached in sys prop, container-docker extension - [#​31811](quarkusio/quarkus#31811) - Check the expiry date for inactive OIDC tokens - [#​31717](quarkusio/quarkus#31717) - Quarkus OIDC Session Cookie not deleted in case of 401 unauthorized - [#​31714](quarkusio/quarkus#31714) - OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) - [#​31662](quarkusio/quarkus#31662) - Warning when docker is not running - [#​31525](quarkusio/quarkus#31525) - Bump Keycloak version to 21.0.1 - [#​31490](quarkusio/quarkus#31490) - Enable Podman and Docker Windows quarkus-container-image-docker testing - [#​31307](quarkusio/quarkus#31307) - Native Build on Windows has incorrect resource slashes - [#​30383](quarkusio/quarkus#30383) - Create a new base classloader including parent-first test scoped dependencies when bootstrapping for CT ### [`v2.16.5.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.5.Final) [Compare Source](quarkusio/quarkus@2.16.4.Final...2.16.5.Final) ##### Complete changelog - [#​31959](quarkusio/quarkus#31959) - New home for Narayana LRA coordinator Docker images - [#​31931](quarkusio/quarkus#31931) - Support raw collections in RESTEasy Reactive server and client - [#​31922](quarkusio/quarkus#31922) - Add more lenient Liquibase ZipPathHandler to work around includeAll not working in prod mode - [#​31904](quarkusio/quarkus#31904) - \[2.16] Upgrade SmallRye GraphQL to 1.9.4 - [#​31894](quarkusio/quarkus#31894) - Supply missing extension metadata for reactive keycloak client - [#​31891](quarkusio/quarkus#31891) - Fix truststore REST Client config when password is not set - [#​31867](quarkusio/quarkus#31867) - Qute type-safe fragments - fix validation for loop metadata and globals - [#​31866](quarkusio/quarkus#31866) - The behavior of the `@RestHeader` annotation is different from the `@HeaderParam` annotation when the parameter is of type List - [#​31864](quarkusio/quarkus#31864) - Fix incorrect generic type passed to MessageBodyWriter#writeTo - [#​31818](quarkusio/quarkus#31818) - Jackson JAX-RS YAML Provider for Resteasy Reactive - [#​31804](quarkusio/quarkus#31804) - \[2.16] A test to make sure non-existing modules are ignored during workspace discovery - [#​31793](quarkusio/quarkus#31793) - \[2.16] Fix NPE loading workspace modules - [#​31770](quarkusio/quarkus#31770) - Fix native compilation when using quarkus-jdbc-oracle with elasticsearch-java - [#​31769](quarkusio/quarkus#31769) - Capability added for quarkus-rest-client-reactive-jackson - [#​31756](quarkusio/quarkus#31756) - quarkus-rest-client-reactive-jackson doesn't provide capabilities - [#​31728](quarkusio/quarkus#31728) - Register additional cache implementations for reflection - [#​31718](quarkusio/quarkus#31718) - Properly close metadata file in integration tests - [#​31713](quarkusio/quarkus#31713) - "Too many open files" When test native image. - [#​31712](quarkusio/quarkus#31712) - Make request scoped beans work properly in ReaderInterceptors - [#​31705](quarkusio/quarkus#31705) - Remove all dev services for kubernetes dependencies from kubernetes-client-internal - [#​31692](quarkusio/quarkus#31692) - RequestScoped context not active when using a ReaderInterceptor with large HTTP requests - [#​31688](quarkusio/quarkus#31688) - Suppress config changed warning for quarkus.test.arg-line - [#​31643](quarkusio/quarkus#31643) - Fix iterator issue when executing a zrange with score on a missing key - [#​31626](quarkusio/quarkus#31626) - quarkus.test.arg-line has become a built-time fixed property in 2.16.4 - [#​31624](quarkusio/quarkus#31624) - native compilation : quarkus-jdbc-oracle with elasticsearch-java strange behaviour - [#​31617](quarkusio/quarkus#31617) - Bump Stork version 1.4.2 - [#​31579](quarkusio/quarkus#31579) - Reinitialize sun.security.pkcs11.P11Util at runtime - [#​31560](quarkusio/quarkus#31560) - Prevent SSE writing from potentially causing accumulation of headers - [#​31559](quarkusio/quarkus#31559) - `SseUtil` unexpectedly stores headers in `Serialisers.EMPTY_MULTI_MAP` - [#​31551](quarkusio/quarkus#31551) - Scheduler - detect scheduled methods of the same name on a class - [#​31547](quarkusio/quarkus#31547) - Scheduler - it's possible to declare two scheduled methods of the same name on the same class - [#​31545](quarkusio/quarkus#31545) - Append System.lineSeparator() to config error messages - [#​31536](quarkusio/quarkus#31536) - Missing newline characters in config error message - [#​31532](quarkusio/quarkus#31532) - Interpret negative/zero body-limit as infinite when logging REST Client request body - [#​31523](quarkusio/quarkus#31523) - Request rejected by CORS for fonts in dev UI when `quarkus.http.cors=true` is set - [#​31496](quarkusio/quarkus#31496) - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest - [#​31482](quarkusio/quarkus#31482) - Remove incorrect default value for keepAliveEnabled - [#​31440](quarkusio/quarkus#31440) - Several quarkus integration tests fail to compile to native with latest GraalVM master - [#​31384](quarkusio/quarkus#31384) - Ignore required documentation for `@ConfigMapping` default methods - [#​30757](quarkusio/quarkus#30757) - Allow same origin CORS requests without 3rd party origins being configured - [#​30744](quarkusio/quarkus#30744) - \[Quarkus Native] ClassNotFoundException: com.github.benmanes.caffeine.cache.SSSW - [#​30698](quarkusio/quarkus#30698) - CORS Request same origin ignored if no other origin set </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.6.Final`](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) [Compare Source](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) ### [`v2.16.5.Final`](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) [Compare Source](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
The |
Got your problem and discovered that, by using the ENV variables with regexp, it works... For example to accept any foo.local subdomain I was using the regexp into application.properties: So I started to change the configuration by using ENV variable QUARKUS_HTTP_CORS_ORIGINS: Please note the double slash before "w+" I hope this can help someone else! |
Describe the bug
If the CORS filter is enabled to prevent CORS attacks, but no other origin is set because we expect all requests from the same origin, at least POST requests are blocked in Chrome.
GET requests do not send the origin header, so the CORS check is skipped, but POST requests include the origin header even, if it's from the same origin.
Expected behavior
If CORS is enabled, same origin requests are always successful, even if no other origins are set.
Actual behavior
If the property
quarkus.http.cors=true
is set, butquarkus.http.cors.origins
is not set, the same origin policy introduced in #29626 should come into place and always allow requests from the same origin.How to Reproduce?
Steps to reproduce:
quarkus.http.cors=true
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.16.0.FINAL
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
In CORSFilter line 191:
quarkus/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
Line 191 in f060bb8
the AND includes also the sameOrigin.
The closing bracket of the AND should probably be after line 192?
The text was updated successfully, but these errors were encountered: