Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to configure CORS for multiple mappings #12719

Closed
leadtrip opened this issue Sep 28, 2022 · 1 comment · Fixed by #13204
Closed

Unable to configure CORS for multiple mappings #12719

leadtrip opened this issue Sep 28, 2022 · 1 comment · Fixed by #13204
Assignees
@puneetbehl

Comments

@leadtrip
Copy link

leadtrip commented Sep 28, 2022
edited
Loading

Expected Behavior

Adding cors mappings with lists of allowedOrigins to application.yml should result in these mappings being applied when making relevant cors requests.

Actual Behaviour

The mappings aren't applied and access is open to all.

Steps To Reproduce

In development environment.

With this config

grails:
    cors:
        enabled: true
        allowedHeaders:
            - Content-Type
        mappings:
            '[/word/googleOnly]':
                allowedOrigins:
                    - https://www.google.com
            '[/word/stackoverflowOnly]':
                allowedOrigins:
                    - https://stackoverflow.com
            '[/word/anywhere]':
                allowedOrigins:
                    - '*'

Make a fetch request to /word/googleOnly in the linked app from a browser's developer console e.g.

fetch("http://localhost:10005/word/googleOnly").then(a => a.text()).then(console.log)

This should only be possible from https://www.google.com but it's possible from any domain e.g.

grails cors from google

grails cors from grailsorg

The attached screenshot of a debugging session in GrailsCorsConfiguration highlights the issue where the code is expecting an allowedOrigins key but, depending on how many keys there are they are named allowedOrigins[0] and so on.

GrailsCorsConfiguration

Environment Information

Windows 10 & 11
Open JDK 8
Grails 5.2.4

Example Application

https://github.com/leadtrip/g524cors

Version

5.2.4
@puneetbehl
Copy link
Contributor

I think this is the result of something which has changed with Spring Boot, see spring-projects/spring-boot#6180

The solution would be to fix the class to use the type Map<Sting, List<Sting>> instead of Map<String, Object> where in the latter a list is converted to a hash map.

A workaround is to provide the configuration through the application.groovy file instead of YAML as:

grails {
    cors {
        enabled = true
        allowedHeaders = 'Content-Type'
        mappings {
            "/word/googleOnly" {
                allowedOrigins = ['https://www.google.com']
            }
            "/word/anywhere" {
                allowedOrigins = ['*']
            }
        }
    }
}

@puneetbehl puneetbehl mentioned this issue Feb 6, 2023
Closed
@guillermocalvo guillermocalvo mentioned this issue Nov 6, 2023
Merged
@maxbert maxbert mentioned this issue Jan 24, 2024
Merged
@neilmusgrove neilmusgrove mentioned this issue Sep 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@puneetbehl puneetbehl

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@puneetbehl @leadtrip