[GitHub] markusthoemmes closed pull request #4010: CORS headers work

GitBox Tue, 18 Sep 2018 10:18:49 -0700

markusthoemmes closed pull request #4010: CORS headers work
URL: https://github.com/apache/incubator-openwhisk/pull/4010


This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git 
a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala 
b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
index 3f69c832c3..5199889186 100644
--- a/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
@@ -19,6 +19,7 @@ package whisk.core.controller
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
+import akka.http.scaladsl.model.HttpMethods.{DELETE, GET, HEAD, POST, PUT}
 import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.model.Uri
 import akka.http.scaladsl.model.headers._
@@ -150,8 +151,10 @@ protected[controller] object RestApiCommons {
  */
 protected[controller] trait RespondWithHeaders extends Directives {
   val allowOrigin = `Access-Control-Allow-Origin`.*
-  val allowHeaders = `Access-Control-Allow-Headers`("Authorization", 
"Content-Type")
-  val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders)
+  val allowHeaders = `Access-Control-Allow-Headers`("*")
+  val allowMethods =
+    `Access-Control-Allow-Methods`(GET, DELETE, POST, PUT, HEAD)
+  val sendCorsHeaders = respondWithHeaders(allowOrigin, allowHeaders, 
allowMethods)
 }
 
 case class WhiskInformation(buildNo: String, date: String)
diff --git 
a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala 
b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
index 6f526575f2..e03bdc8703 100644
--- a/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
+++ b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala
@@ -383,7 +383,7 @@ trait WhiskWebActionsApi extends Directives with 
ValidateRequestSize with PostAc
     List(`Access-Control-Allow-Origin`.*, 
`Access-Control-Allow-Methods`(OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH))
 
   private val defaultCorsWithAllowHeader = {
-    defaultCorsBaseResponse :+ 
`Access-Control-Allow-Headers`(`Authorization`.name, `Content-Type`.name)
+    defaultCorsBaseResponse :+ `Access-Control-Allow-Headers`("*")
   }
 
   private def defaultCorsResponse(headers: Seq[HttpHeader]): List[HttpHeader] 
= {
diff --git a/docs/rest_api.md b/docs/rest_api.md
index b6c04a2bc8..28932be570 100644
--- a/docs/rest_api.md
+++ b/docs/rest_api.md
@@ -82,7 +82,7 @@ curl -u USERNAME:PASSWORD 
https://openwhisk.ng.bluemix.net/api/v1/namespaces/whi
 
 In this example the authentication was passed using the `-u` flag, you can 
pass this value also as part of the URL as `https://$AUTH@{APIHOST}`
 
-The OpenWhisk API supports request-response calls from web clients. OpenWhisk 
responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. 
Currently, all origins are allowed (that is, Access-Control-Allow-Origin is 
"`*`") and Access-Control-Allow-Headers yield Authorization and Content-Type.
+The OpenWhisk API supports request-response calls from web clients. OpenWhisk 
responds to `OPTIONS` requests with Cross-Origin Resource Sharing headers. 
Currently, all origins are allowed (that is, Access-Control-Allow-Origin is 
"`*`"), the standard set of methods are allowed (that is, 
Access-Control-Allow-Methods is "`GET, DELETE, POST, PUT, HEAD`"), and 
Access-Control-Allow-Headers yields "`*`".
 
 **Attention:** Because OpenWhisk currently supports only one key per 
namespace, it is not recommended to use CORS beyond simple experiments. Use 
[Web Actions](webactions.md) or [API Gateway](apigateway.md) to expose your 
actions to the public and not use the OpenWhisk authorization key for client 
applications that require CORS.
 
diff --git a/docs/webactions.md b/docs/webactions.md
index 3e98fe06c0..547fcba85a 100644
--- a/docs/webactions.md
+++ b/docs/webactions.md
@@ -450,7 +450,7 @@ if it is present in the HTTP request. Otherwise, a default 
value is generated as
 ```
 Access-Control-Allow-Origin: *
 Access-Control-Allow-Methods: OPTIONS, GET, DELETE, POST, PUT, HEAD, PATCH
-Access-Control-Allow-Headers: Authorization, Content-Type
+Access-Control-Allow-Headers: *
 ```
 
 Alternatively, OPTIONS requests can be handled manually by a web action. To 
enable this option add a
diff --git a/tests/src/test/scala/services/HeadersTests.scala 
b/tests/src/test/scala/services/HeadersTests.scala
index 42c51c3d7c..c0485de82d 100644
--- a/tests/src/test/scala/services/HeadersTests.scala
+++ b/tests/src/test/scala/services/HeadersTests.scala
@@ -64,7 +64,7 @@ class HeadersTests extends FlatSpec with Matchers with 
ScalaFutures with WskActo
   val creds = BasicHttpCredentials(whiskAuth.fst, whiskAuth.snd)
   val allMethods = Some(Set(DELETE.name, GET.name, POST.name, PUT.name))
   val allowOrigin = `Access-Control-Allow-Origin`.*
-  val allowHeaders = `Access-Control-Allow-Headers`("Authorization", 
"Content-Type")
+  val allowHeaders = `Access-Control-Allow-Headers`("*")
   val url = 
Uri(s"$controllerProtocol://${WhiskProperties.getBaseControllerAddress()}")
 
   def request(method: HttpMethod, uri: Uri, headers: Option[Seq[HttpHeader]] = 
None): Future[HttpResponse] = {
diff --git a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala 
b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
index 61f374bd54..700f87e499 100644
--- a/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
+++ b/tests/src/test/scala/whisk/core/cli/test/WskWebActionsTests.scala
@@ -204,7 +204,7 @@ class WskWebActionsTests extends TestHelpers with 
WskTestHelpers with RestUtil w
       response.statusCode shouldBe 200
       response.header("Access-Control-Allow-Origin") shouldBe "*"
       response.header("Access-Control-Allow-Methods") shouldBe "OPTIONS, GET, 
DELETE, POST, PUT, HEAD, PATCH"
-      response.header("Access-Control-Allow-Headers") shouldBe "Authorization, 
Content-Type"
+      response.header("Access-Control-Allow-Headers") shouldBe "*"
       response.header("Location") shouldBe null
       response.header("Set-Cookie") shouldBe null
     }
diff --git 
a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala 
b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
index ba9e2cc17d..deee6fe270 100644
--- a/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
+++ b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala
@@ -1502,7 +1502,7 @@ trait WebActionsApiBaseTests extends ControllerTestCommon 
with BeforeAndAfterEac
                 if (testHeader.name == `Access-Control-Request-Headers`.name) {
                   header("Access-Control-Allow-Headers").get.toString shouldBe 
"Access-Control-Allow-Headers: x-custom-header"
                 } else {
-                  header("Access-Control-Allow-Headers").get.toString shouldBe 
"Access-Control-Allow-Headers: Authorization, Content-Type"
+                  header("Access-Control-Allow-Headers").get.toString shouldBe 
"Access-Control-Allow-Headers: *"
                 }
               }
             }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

[GitHub] markusthoemmes closed pull request #4010: CORS headers work

Reply via email to