ESP v2 not returning CORS headers with

[Daniel Alm]

Hi,

I am trying to migrate from ESP v1 to v2, running on GKE. My service is behind an HTTPS GCLB managed by GKE, with a gRPC backend.

With ESP v1, adding the startup option `--cors_preset=basic` caused all requests to the server to be annotated with the desired CORS headers:

access-control-max-age: 1728000

access-control-allow-origin: *

access-control-allow-methods: GET, POST, PUT, PATCH, DELETE, OPTIONS

access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization

With ESP v2, none of the requests I send have any CORS headers attached to their responses, not even "OPTIONS" requests. However, according to https://groups.google.com/g/google-cloud-endpoints/c/EjB_Sx38sxc/m/Sxmk2vNGBQAJ, it is possible to have ESPv2 send CORS headers, so I am assuming some sort of misconfiguration on my part.

Here are the startup options I am using;

"--listener_port=8081",

"--service=<my endpoints service>",

"--rollout_strategy=managed",

"--backend=grpc://127.0.0.1:5050",

"--cors_preset=basic",

"--http_request_timeout_s=600",

"--generate_self_signed_cert",

"--enable_debug",

This is one of the calls I am sending:

curl -X OPTIONS -v https://my-domain/MyService.Rpc

A curl to just the domain without a path yields the same result. The same curl calls to a service hosted by ESPv1 have the CORS headers attached to them.

I have found no mention whatsoever of CORS in my ESP container's logs (debug logging is turned on already; see above), but can send those to you anyway if that would help.

Thanks,

Daniel

[qiwz...@google.com]

ESPv2 CORS feature is implemented by Envoy.  Even its flags are the same as ESPv1 for easy migration, there are some subtle different when testing it.

For example, for OPTIONS to work,  it requires two headers "origin" and "Access-Control-Request-Method". 

In your curl test,  you did not specify them.

[Wayne Zhang]

What is the status?  Have you tried with curl for OPTIONS call?   When trying with curl, please specify "Origin" and "Access-Control-Request-Method" headers.

On Fri, Jan 22, 2021 at 11:36 AM Daniel Alm <daniel.ale...@gmail.com> wrote:

P.S.: I am using ESP v2.23.0.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-endpoints/XuC2FBOvFJY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/f55f95a3-247e-4a14-b544-67ec9ad47406n%40googlegroups.com.

[Ankit Dwivedi]

Hi,

I am facing CORS issue and after a lot of try not able to understand how to resolve it.

we have tried multiple options but failed every time, please help on this.

Tried option-1 : - 

Deployed espV2 container with CORS - 

gcloud run deploy CLOUD_RUN_SERVICE_NAME \
  --image="gcr.io/ESP_PROJECT_ID/endpoints-runtime-serverless:ESP_VERSION-CLOUD_RUN_HOSTNAME-CONFIG_ID" \
  --set-env-vars=ESPv2_ARGS=--cors_preset=basic \
  --allow-unauthenticated \
  --platform managed \
  --project ESP_PROJECT_ID

but getting issue - Access to XMLHttpRequest at 'https://deyes-dq5rvo4msq-el.a.run.app/generateOtp' from origin 'http://localhost:8100' has been blocked by CORS policy: Request header field access-control-allow-methods is not allowed by Access-Control-Allow-Headers in preflight response.

Tried option-2 :- 

Edit the gcloud_build_image  like below-

 ENV ESPv2_ARGS ^++^--cors_preset=basic++--cors_allow_method="GET,PUT,POST"++--cors_allow_credentials

and deployed container with below - 

  gcloud run deploy CLOUD_RUN_SERVICE_NAME \ --image="gcr.io/ESP_PROJECT_ID/endpoints-runtime-serverless:ESP_VERSION-CLOUD_RUN_HOSTNAME-CONFIG_ID" \ --set-env-vars=ESPv2_ARGS=^++^--cors_preset=basic++--cors_allow_methods=GET, POST, PUT, PATCH, DELETE, OPTIONS \ --allow-unauthenticated \ --platform managed \ --project ESP_PROJECT_ID  

  but getting issue - Access to XMLHttpRequest at 'https://deyes-dq5rvo4msq-el.a.run.app/generateOtp' from origin 'http://localhost:8100' has been blocked by CORS policy: Request header field access-control-allow-methods is not allowed by Access-Control-Allow-Headers in preflight response.  

can someone please help into this, how to resolve.

Regards,

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/9929f575-fdd0-4a81-a6a8-792171ee5581n%40googlegroups.com.

[Daniel Alm]

Sorry for the confusion, I had sent the PS right after the original post, but it for some reason got delivered more than a day after the initial post.

Your reply was extremely helpful. I was able to confirm that a curl call with the two request headers you mentioned indeed attaches the desired CORS headers to the response. And it seems like the browser indeed also attaches these headers, so this solution works in practice for me. No further help needed, thank you very much!

On 22. Jan 2021, at 21:07, Wayne Zhang <qiwz...@google.com> wrote: