Matching `Access-Control-Allow-Headers`

Question

Matching `Access-Control-Allow-Headers`

jlarmstrongiv opened this issue 6 months ago · comments

John L. Armstrong IV commented 6 months ago

Is your feature request related to a problem? Please describe.
I would like to mirror the request headers in the Access-Control-Allow-Headers

Describe the solution you'd like
Automatically include the correct Access-Control-Allow-Headers

Describe alternatives you've considered
Making my own middleware

Additional context

From npm package cors

allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: ['Content-Type', 'Authorization']). If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.

Example headers:

Access-Control-Allow-Headers: origin, content-type, accept

It would be great for Middy to automatically match the sent headers

will Farrell · Answer 1 · Sat Dec 23 2023 02:23:46 GMT+0800 (China Standard Time)

Thanks for the feature request. This was an idea a few years ago to allow having allowedHeaders: true, but was not implemented due to security concerns because it would allow the requester to choose the allowed headers.

I would be interested to hear about the use case that would require this.

John L. Armstrong IV · Answer 2 · Wed Jan 03 2024 23:01:59 GMT+0800 (China Standard Time)

Hope you had a very Merry Christmas and Happy New Year’s @willfarrell !

Apologies for the delay, I was visiting family.

This feature request is mostly to align middyjs with the other frameworks I’m using:

I would like allowedHeaders: true mainly to share the same settings across my whole project.

I would prefer that over debugging request errors and then whitelisting specific headers for middy:

Content-Type
Content-Length
Origin
Accept
Range

Among other headers.

Allowing arbitrary headers to be sent to the server is not an important security concern for us, since we keep all of our packages up-to-date and validate all the data we parse from the request.

I checked the latest releases, but didn’t see a release fixing this issue. Would you re-open it?

John L. Armstrong IV · Answer 3 · Mon Feb 12 2024 18:11:29 GMT+0800 (China Standard Time)

@willfarrell are you open to re-opening this issue?

will Farrell · Answer 4 · Mon Feb 12 2024 20:35:58 GMT+0800 (China Standard Time)

I talked with some of my security colleagues and forgot to reply. Still a no at this time. Sorry. Why not list all allowed headers?

John L. Armstrong IV · Answer 5 · Tue Feb 13 2024 08:00:01 GMT+0800 (China Standard Time)

That’s alright. Thanks for getting back to me!

The main reason is that I’m using several other frameworks (aws cdk, sst, Astro, express.js), and middyjs is the only one that doesn’t support something like allowedHeaders: true.

That makes it a gotcha particular to middyjs, and finding and fixing that error isn’t obvious or straightforward. The security benefits aren’t worth the trouble in this particular case.

Even if the docs caution about the option, but it would still be nice to have.