Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS for 'GET' attachment or assets are not working #17098

Closed
derekhu opened this issue Sep 20, 2021 · 2 comments · Fixed by #28587
Closed

CORS for 'GET' attachment or assets are not working #17098

derekhu opened this issue Sep 20, 2021 · 2 comments · Fixed by #28587
Labels
type/bug

Comments

@derekhu
Copy link

derekhu commented Sep 20, 2021
edited
Loading

Gitea Version

1.15.2

Operating System

Windows

How are you running Gitea?

Localhost

Can you reproduce the bug on the Gitea demo site?

Yes

Description

CORS both for 'POST/PATCH' API and for 'GET' attachment or assets are not working

Access to XMLHttpRequest at 'http://localhost:330/attachments/b95d46d2-8fe9-4529-8bde-c5bddfe08286' from 
origin 'https://hoppscotch.io' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I am building a PWA and using REST API get access to issues and comments of self hosted Gitea. There are servial issues about CORS:

  1. CORS works only for 'GET' method. And never set ’Access-Control-Allowed-Origin: *‘ for 'POST', 'PATCH' etc.
    // after using a chrome extension 'Corss Domain', it adds the response headers ’Access-Control-Allowed-Origin: *‘ for 'POST', 'PATCH', and my PWA works.

  2. CORS works only for REST API not for ASSETS.
    As we known, CORS http method call after an 'OPTIONS' prelight request. However, 'OPTIONS’ method was not allowed for attachement assets request. It just return '405 method not allowed' while I access to the resource CORS way, using the right token.
    // I have not found a Chrome extension to fix the reponse code for options access to assets yet.
    // so the issue blocked.

Gitlab API provides the right response code and headers about CORS API access from different domains.

Hoping Gitea can improve the CORS implements and configration.

Screenshots

image
@derekhu derekhu changed the title CORS for Assets not working CORS both for 'POST/PATCH' API and for 'GET' attachment or assets are not working Sep 20, 2021
@derekhu derekhu changed the title CORS both for 'POST/PATCH' API and for 'GET' attachment or assets are not working CORS for 'GET' attachment or assets are not working Sep 20, 2021
@noerw
Copy link
Member

noerw commented Oct 8, 2021

Ad 1: Are you talking about API routes? A specific one or all? For frontend routes I'm pretty sure this is on purpose as a hardening measure.
Ad 2: that sounds like another CORS regression from the migration to chi to me

@noerw noerw added the type/bug label Oct 8, 2021
@derekhu
Copy link
Author

derekhu commented Oct 8, 2021
edited
Loading

Ad 1: Are you talking about API routes? A specific one or all? For frontend routes I'm pretty sure this is on purpose as a hardening measure. Ad 2: that sounds like another CORS regression from the migration to chi to me

Not frontend routes. Some facts below:

  1. I am using Gitea through REST API.
  2. I call the REST API from browser, in another hosted domain, in a PWA applicaiton.
  3. So, that is : calling gitea REST API iin another domain in browser
  4. I am using API token for access.
  5. CORS headers works fine for 'GET‘ (reading method) but not working for 'PATCH', 'PUT', 'DELETE' (writing method)
  6. 'GET' assets (not api call) doesn't provide CORS headers neither.

Gitlab API works fine in the same scenes ablove.

How to replay it ?

  1. Gen an API token from Gitea profile
  2. Use https://hoppscotch.io/
  3. Access the Gitea REST API using the token gen in step 1)
  4. See errors in browser.
  5. Explain: Take hoppscotch.io as domain A, and Gitea is domain B ( localhost etc). And gitea's CORS config is on.

Thank you for reply,

@wxiaoguang wxiaoguang mentioned this issue Dec 22, 2023
Merged
lunny pushed a commit that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (#28587)
b41925c 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
wxiaoguang added a commit to wxiaoguang/gitea that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (go-gitea#28587)
bf95c97 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
# Conflicts:
#	tests/integration/cors_test.go
@wxiaoguang wxiaoguang mentioned this issue Dec 25, 2023
Merged
wxiaoguang added a commit that referenced this issue Dec 25, 2023
@wxiaoguang
Refactor CORS handler (#28587) (#28611)
7a2786c 
Backport #28587, the only conflict is the test file.

The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix #28515
Fix #27642
Fix #17098
katsusan pushed a commit to katsusan/gitea that referenced this issue Dec 26, 2023
@wxiaoguang @katsusan
Refactor CORS handler (go-gitea#28587)
d88b98c 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
fuxiaohei pushed a commit to fuxiaohei/gitea that referenced this issue Jan 17, 2024
@wxiaoguang @fuxiaohei
Refactor CORS handler (go-gitea#28587)
e3ac2f9 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 9, 2024
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@wxiaoguang @silverwind
Refactor CORS handler (go-gitea#28587)
55ae52e 
The CORS code has been unmaintained for long time, and the behavior is
not correct.

This PR tries to improve it. The key point is written as comment in
code. And add more tests.

Fix go-gitea#28515
Fix go-gitea#27642
Fix go-gitea#17098
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Refactor CORS handler wxiaoguang/gitea
2 participants
@derekhu @noerw