Description
Gitea has hardcoded what headers are permitted via CORS. This list does not include "Content-Type", which is needed in order to get browsers to POST JSON data to the Gitea backend.
|
m.Use(cors.Handler(cors.Options{ |
|
// Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option |
|
AllowedOrigins: setting.CORSConfig.AllowDomain, |
|
// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option |
|
AllowedMethods: setting.CORSConfig.Methods, |
|
AllowCredentials: setting.CORSConfig.AllowCredentials, |
|
AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"}, |
|
MaxAge: int(setting.CORSConfig.MaxAge.Seconds()), |
|
})) |
Ideally this would be customizable via a configuration file, but at the least include "Content-Type".
JS Example
fetch(`http://172.23.66.96:3000/api/v1/repos/some_org/some_repo/issues`, {
method: "POST",
body: `{"title": "Test issue", "body": "Test body"}`,
headers: {
Authorization: "Bearer [...]",
"Content-Type": "application/json"
}
})
Preflight
OPTIONS /api/v1/repos/some_org/some_repo/issues HTTP/1.1
Host: 172.23.66.96:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Origin: [...]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
The middleware rejects this preflight, since the content-type header is not hardcoded in the application. After adding "Debug: true" to the cors.Handler call (see top snippet), the rejection can be seen in the Gitea logs.
Gitea Output
2022/11/09 16:42:17 cmd/web.go:106:runWeb() [I] Starting Gitea on PID: 22617
2022/11/09 16:42:17 cmd/web.go:157:runWeb() [I] Global init
[...]
[cors] 2022/11/09 17:23:17 Handler: Preflight request
[cors] 2022/11/09 17:23:17 Preflight aborted: headers '[Authorization Content-Type]' not allowed
2022/11/09 17:23:17 [636c2855] router: completed OPTIONS /api/v1/repos/some_org/some_repo/issues for 172.23.64.1:63690, 200 OK in 0.1ms @ unknown-handler
Gitea Version
1.17.3
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
https://gist.github.com/drewmnoel/e771b9f47d96846aeaea02263f44486a
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Gitea build information:
- Gitea version 1.17.3 built with GNU Make 4.3, go1.19.3 : bindata, sqlite, sqlite_unlock_notify
I'm running on the command line with the following section added to the default app.ini:
[cors]
ENABLED = true
SCHEME = http
ALLOW_DOMAIN = *
METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
MAX_AGE = 10m
ALLOW_CREDENTIALS = true
X_FRAME_OPTIONS = SAMEORIGIN
Database
No response
Description
Gitea has hardcoded what headers are permitted via CORS. This list does not include "Content-Type", which is needed in order to get browsers to POST JSON data to the Gitea backend.
gitea/routers/api/v1/api.go
Lines 614 to 622 in 5a6cba4
Ideally this would be customizable via a configuration file, but at the least include "Content-Type".
JS Example
Preflight
The middleware rejects this preflight, since the content-type header is not hardcoded in the application. After adding "Debug: true" to the
cors.Handlercall (see top snippet), the rejection can be seen in the Gitea logs.Gitea Output
Gitea Version
1.17.3
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
https://gist.github.com/drewmnoel/e771b9f47d96846aeaea02263f44486a
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Gitea build information:
I'm running on the command line with the following section added to the default app.ini:
Database
No response