Cannot set CORS allowed headers.
joshhubers opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
Hello,
First off, thanks for the great package, I've loved my past experience with Ory OSS.
I'm having an issue in my project using the ory proxy. I'm using a react application to talk to the ory proxy and I have a third party client library that is trying to request CORS headers: Authorization (note capital 'A') and X-Request-Id with an OPTIONS pre-flight, which the ory proxy dis-allows as these are non-standard headers.
I haven't wrote a lick of Go really, but it looks like this is the suspect line:
Line 254 in e5582fd
Reproducing the bug
Make an OPTIONS request to the ory proxy for a non-standard Cors header.
Ex. Access-Control-Request-Headers: authorization,x-request-id
Relevant log output
[cors] 2022/11/07 20:23:51 Handler: Preflight request
[cors] 2022/11/07 20:23:51 Preflight aborted: headers '[Authorization X-Request-Id]' not allowedRelevant configuration
A slight tangent. I tried using the -c flag to set a config file, but I get a json parse error for the .yaml, like it's not expecting yaml for some reason, but json, when all the docs show .yaml config files?
I'm also not sure if the proxy respects any of those config values.
I also hoped that maybe setting the env variable SERVE_WRITE_CORS_ALLOWED_HEADERS='["content-type", "authorization", "Authorization", "X-Request-Id"]' would do it, but to no avail.
Version
"@ory/cli": "^0.1.47",
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
No response
Additional Context
I'm not an expert on CORS or the ory proxy so I may be missing something obvious to forward the OPTIONS call to my down-stream server?
Or potentially a way for ory proxy to just ignore OPTIONS and forward to the down-stream server?