Spray and CORS headers with multiple allowed origins - rejected by chrome
1,664 views
Skip to first unread message
Tim Bennett
Mar 6, 2014, 11:55:41 AM3/6/14
to spray...@googlegroups.com
Hi,
I've recently been using the CORS support in spray to allow cross site access from multiple, specific origins (i.e. not * wild-carded). The current implementation in https://github.com/spray/spray/blob/master/spray-http/src/main/scala/spray/http/HttpOrigin.scala renders the Seq[HttpOrigin] as a space delimited list.
When I tried this, I ran into some problems using Chrome, as their interpretation of the spec is that multiple origins are not allowed. See https://code.google.com/p/chromium/issues/detail?id=321517 and http://src.chromium.org/viewvc/blink?view=revision&revision=163406.
Chrome treats the space delimited set of origins as a single origin, and fails the match:
The 'Access-Control-Allow-Origin' whitelists only 'http://your_origin http://other http://other_more' Origin 'http://your_origin' is not in the list, and is therefore not allowed access.
The recommended approach seems to be to take the value of the Origin header and put that into Access-Control-Allow-Origin header, if it should be allowed (http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains). I have changed my implementation to use this approach, and it is now working in both chrome and firefox.
Access-Control-Allow-Origin = "Access-Control-Allow-Origin" ":" origin-list-or-null | "*"
In practice the origin-list-or-null production is more constrained. Rather than allowing a space-separated list of origins, it is either a single origin or the string "null".
There was also a bug report for firefox to allow space delimited parsing but it was closed as an error: https://bugzilla.mozilla.org/show_bug.cgi?id=649917
So, it seems as though spray should perhaps not allow multiple origins in the Access-Control-Allow-Origin header to prevent issues.
Hope this is useful :)
Thanks
Tim
Johannes Rudolph
Mar 7, 2014, 9:50:19 AM3/7/14
to spray...@googlegroups.com
Hi Tim,
thanks for the reminder.
On Thu, Mar 6, 2014 at 5:55 PM, Tim Bennett <benn...@gmail.com> wrote:
> So, it seems as though spray should perhaps not allow multiple origins in
> the Access-Control-Allow-Origin header to prevent issues.
maybe there's also a middle-ground: model the header as generally as
the grammar would allow but still don't ever generate headers with
multiple origins. To this end, maybe we could make the constructors
private and add zero and single argument apply methods to the
companion and something with a more warning name if you *really* want
to create one with multiple origins. I created a ticket to track this:
https://github.com/spray/spray/issues/814
However, as we cannot do this in a binary compatible way we probably
won't do it right now but consider it for the next version.
--
Johannes
-----------------------------------------------
Johannes Rudolph
http://virtual-void.net
thanks for the reminder.
On Thu, Mar 6, 2014 at 5:55 PM, Tim Bennett <benn...@gmail.com> wrote:
> So, it seems as though spray should perhaps not allow multiple origins in
> the Access-Control-Allow-Origin header to prevent issues.
the grammar would allow but still don't ever generate headers with
multiple origins. To this end, maybe we could make the constructors
private and add zero and single argument apply methods to the
companion and something with a more warning name if you *really* want
to create one with multiple origins. I created a ticket to track this:
https://github.com/spray/spray/issues/814
However, as we cannot do this in a binary compatible way we probably
won't do it right now but consider it for the next version.
--
Johannes
-----------------------------------------------
Johannes Rudolph
http://virtual-void.net
Tim Bennett
Mar 9, 2014, 6:03:31 PM3/9/14
to spray...@googlegroups.com, johannes...@googlemail.com
Hi Johannes,
Thanks for your reply, that sounds like a good approach.
Tim
Reply all
Reply to author
Forward
0 new messages