Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always getting multiple values for 'Access-Control-Allow-Origin' or no value at all... #59

Open
seinick opened this issue Jan 30, 2018 · 3 comments
Open

Always getting multiple values for 'Access-Control-Allow-Origin' or no value at all... #59

seinick opened this issue Jan 30, 2018 · 3 comments

Comments

@seinick
Copy link

seinick commented Jan 30, 2018
edited
Loading 

vader:VTAg nick$ npm view "restify-cors-middleware" version
1.1.0

vader:VTAg nick$ npm view "restify" version
6.3.4

Despite specifying either a single value for the "origins" array in the config, no value, or '*' ... the only outcome I see is my requests getting EITHER multiple allowed values (ORIGIN, *) or no allowed values. Either way, the site fails to load because both options are illegal.

var router = require("./router");
var config = require("./config");
var restify = require('restify');
var fs = require('fs');
var helmet = require('helmet');
var corsMiddleware = require('restify-cors-middleware')
var CORS = corsMiddleware(
	{
		origins: ['https://vtag-local.stone-env.net:3000'],
		allowHeaders: ['*']
	}
)

var ONE_YEAR = 31536000000;

// Setup some https server options
var https_options = {
    key: fs.readFileSync(config.certificate),
    certificate: fs.readFileSync(config.certificate),
	ciphers: [
		"ECDHE-RSA-AES256-SHA384",
		"DHE-RSA-AES256-SHA384",
		"ECDHE-RSA-AES256-SHA256",
		"DHE-RSA-AES256-SHA256",
		"ECDHE-RSA-AES128-SHA256",
		"DHE-RSA-AES128-SHA256",
		"HIGH",
		"!aNULL",
		"!eNULL",
		"!EXPORT",
		"!DES",
		"!RC4",
		"!MD5",
		"!PSK",
		"!SRP",
		"!CAMELLIA"
	].join(':'),
	honorCipherOrder: true
};

var setupServer = function(app) {
	app.pre(CORS.preflight);
	app.pre(restify.pre.userAgentConnection());
	app.use(restify.plugins.bodyParser());
	app.use(restify.plugins.queryParser());
	//app.use(restify.CORS());
	app.use(restify.plugins.fullResponse());
	app.use(helmet.hsts({
		maxAge: ONE_YEAR,
		includeSubdomains: true,
		force: true
	}));
	app.use(CORS.actual);
	require("./router.js")(app);
};

var appSSL = restify.createServer(https_options);

setupServer(appSSL);

appSSL.listen(config.portSSL, config.ip, function () {
    console.log("Listening on " + config.ip + ", port " + config.portSSL)
});

FTR I have tried commenting out the various other parts of my server .pre and .use setup. Removing them did not seem to make things any better or worse regarding CORS.

In my router I have code called for each route that was handling CORS headers, but now seems to interact badly with the new middleware... so I've commented it out. I thought at first that my setting the Access-Control-Allow-Origin here was screwing up the restify-cors-middleware, but even after removing it, I'm still getting multiple Access-Control-Allow-Origin values...

function setupCORSCrap(req, res, next) {
        console.log('----{ Setting CORS headers }----');
        //res.setHeader('Access-Control-Allow-Origin', '*');
        //res.setHeader('Access-Control-Allow-Headers', 'Authorization, Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token');
        //res.setHeader('Access-Control-Allow-Methods', '*');
        //res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');        
        ///res.setHeader('Access-Control-Max-Age', '1000');
        console.log('.____. headers set .____.');
        return next();
    }

It seems like the primary issue revolves around the middleware automatically inserting the ORIGIN into the header... but seemingly not removing whatever was in there already.

Failed to load https://vtag-local.stone-env.net:8443/login: The 'Access-Control-Allow-Origin' header contains multiple values 'https://vtag-local.stone-env.net:3000, *', but only one is allowed. Origin 'https://vtag-local.stone-env.net:3000' is therefore not allowed access.

This all worked fine for me until I upgrade Restify and had to stop using "restify.CORS()" ...
@alexgoldstone
Copy link

I have exactly the same issue...

My code looks like:

const cors = restifyCorsMiddleware({
    preflightMaxAge: 5,
    origins: ['https://*:*'],
    allowHeaders: ['Authorization'],
    exposeHeaders: []
});

Two headers are being returned to the browser:

access-control-allow-origin: *
access-control-allow-origin: https://my.domain.com

@tbouchik
Copy link

tbouchik commented Nov 5, 2019

I have the same behavior as @alexgoldstone with the two headers returned.
My config middleware config is the following:
const cors = restifyCorsMiddleware({ preflightMaxAge: 5, origins: ['https://*:*'], allowHeaders: ['Authorization'], exposeHeaders: [] });
Has anybody find a way to get around this issue?

@jgtvares
Copy link

jgtvares commented Jul 3, 2021

up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alexgoldstone @tbouchik @seinick @jgtvares