github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #33242 from dims/fix-cors-hander-issue-33231

Browse Source 
Automatic merge from submit-queue

Support Access-Control-Expose-Headers in CORS Handler

Our typical HTTP Response has a "Date" Header, if we don't add an
additional http header "Access-Control-Expose-Headers: Date" then
the browser based clients cannot use the Date HTTP Header.

Fixes #33231

**Release note**:
<!--  Steps to write your release note:
1. Use the release-note-* labels to set the release note state (if you have access) 
2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. 
-->
```release-note
When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript.
```
This commit is contained in:
Kubernetes Submit Queue 2016-09-29 00:49:04 -07:00 committed by GitHub
commit 5d218f938a
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/genericapiserver/config.go
View File

@ -353,7 +353,7 @@ func (c Config) New() (*GenericAPIServer, error) {
func (s *GenericAPIServer) buildHandlerChains(c *Config, handler http.Handler) (secure http.Handler, insecure http.Handler) { func (s *GenericAPIServer) buildHandlerChains(c *Config, handler http.Handler) (secure http.Handler, insecure http.Handler) {
// filters which insecure and secure have in common // filters which insecure and secure have in common
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, "true") handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
// insecure filters // insecure filters
insecure = handler insecure = handler

6
pkg/genericapiserver/filters/cors.go
View File

@ -35,7 +35,7 @@ import (
// WithCORS is a simple CORS implementation that wraps an http Handler. // WithCORS is a simple CORS implementation that wraps an http Handler.
// Pass nil for allowedMethods and allowedHeaders to use the defaults. If allowedOriginPatterns // Pass nil for allowedMethods and allowedHeaders to use the defaults. If allowedOriginPatterns
// is empty or nil, no CORS support is installed. // is empty or nil, no CORS support is installed.
func WithCORS(handler http.Handler, allowedOriginPatterns []string, allowedMethods []string, allowedHeaders []string, allowCredentials string) http.Handler { func WithCORS(handler http.Handler, allowedOriginPatterns []string, allowedMethods []string, allowedHeaders []string, exposedHeaders []string, allowCredentials string) http.Handler {
if len(allowedOriginPatterns) == 0 { if len(allowedOriginPatterns) == 0 {
return handler return handler
} }
@ -58,8 +58,12 @@ func WithCORS(handler http.Handler, allowedOriginPatterns []string, allowedMetho
if allowedHeaders == nil { if allowedHeaders == nil {
allowedHeaders = []string{"Content-Type", "Content-Length", "Accept-Encoding", "X-CSRF-Token", "Authorization", "X-Requested-With", "If-Modified-Since"} allowedHeaders = []string{"Content-Type", "Content-Length", "Accept-Encoding", "X-CSRF-Token", "Authorization", "X-Requested-With", "If-Modified-Since"}
} }
if exposedHeaders == nil {
exposedHeaders = []string{"Date"}
}
w.Header().Set("Access-Control-Allow-Methods", strings.Join(allowedMethods, ", ")) w.Header().Set("Access-Control-Allow-Methods", strings.Join(allowedMethods, ", "))
w.Header().Set("Access-Control-Allow-Headers", strings.Join(allowedHeaders, ", ")) w.Header().Set("Access-Control-Allow-Headers", strings.Join(allowedHeaders, ", "))
w.Header().Set("Access-Control-Expose-Headers", strings.Join(exposedHeaders, ", "))
w.Header().Set("Access-Control-Allow-Credentials", allowCredentials) w.Header().Set("Access-Control-Allow-Credentials", allowCredentials)
// Stop here if its a preflight OPTIONS request // Stop here if its a preflight OPTIONS request

8
pkg/genericapiserver/filters/cors_test.go
View File

@ -39,7 +39,7 @@ func TestCORSAllowedOrigins(t *testing.T) {
for _, item := range table { for _, item := range table {
handler := WithCORS( handler := WithCORS(
http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}), http.HandlerFunc(func(http.ResponseWriter, *http.Request) {}),
item.allowedOrigins, nil, nil, "true", item.allowedOrigins, nil, nil, nil, "true",
) )
server := httptest.NewServer(handler) server := httptest.NewServer(handler)
defer server.Close() defer server.Close()
@ -72,6 +72,9 @@ func TestCORSAllowedOrigins(t *testing.T) {
if response.Header.Get("Access-Control-Allow-Methods") == "" { if response.Header.Get("Access-Control-Allow-Methods") == "" {
t.Errorf("Expected Access-Control-Allow-Methods header to be set") t.Errorf("Expected Access-Control-Allow-Methods header to be set")
} }
if response.Header.Get("Access-Control-Expose-Headers") != "Date" {
t.Errorf("Expected Date in Access-Control-Expose-Headers header")
}
} else { } else {
if response.Header.Get("Access-Control-Allow-Origin") != "" { if response.Header.Get("Access-Control-Allow-Origin") != "" {
t.Errorf("Expected Access-Control-Allow-Origin header to not be set") t.Errorf("Expected Access-Control-Allow-Origin header to not be set")
@ -88,6 +91,9 @@ func TestCORSAllowedOrigins(t *testing.T) {
if response.Header.Get("Access-Control-Allow-Methods") != "" { if response.Header.Get("Access-Control-Allow-Methods") != "" {
t.Errorf("Expected Access-Control-Allow-Methods header to not be set") t.Errorf("Expected Access-Control-Allow-Methods header to not be set")
} }
if response.Header.Get("Access-Control-Expose-Headers") == "Date" {
t.Errorf("Expected Date in Access-Control-Expose-Headers header")
}
} }
} }
} }