-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix allow_cors: true
returning two Access-Control-Allow-Origin
headers
#489
base: master
Are you sure you want to change the base?
Conversation
Hi there and thanks for your contribution. I honestly don't believe that if shouldReturnFromCache {
rp.serveFromCache(s, srw, req, origParams, q)
} else {
rp.proxyRequest(s, srw, srw, req)
} Adding a header after doesn't seems to have any effect since the I don't have any idea right now on how to handle this. best would be to open an issue, and feel free to propose a solution for this issue as well. thanks |
Hey, Without any change, a call with to chproxy with
You can notice the duplicate When doing the same test with the change of this PR (no config change), we have the following response headers:
As you can see we have only one To finish we can do the same test without the origin on the PRs's version:
Which is the same result as without the change, ie. only one The change works because it will update the |
lgtm, we should release a new version including your fix in 1-2 weeks (we first need to validate and merge the other active PRs) |
I was a bit in a rush in my "looks good to me". Since the bug is tricky and could reappear after a refactoring, can you add a test in main_test.go? |
…eaders Fixes ContentSquare#93. The `Access-Control-Allow-Origin` was set before on the response before the proxy call, and ClickHouse was returning the response with its own `Access-Control-Allow-Origin` (in my case, "*"). So, having `allow_cors: true` was eventually returning two `Access-Control-Allow-Origin`, one from chproxy and one from ClickHouse. This commit just move the `"Access-Control-Allow-Origin` after the proxy call, overriding the value returned by ClickHouse. If `allow_cors: false`, chproxy does not change the value (so it can be, I believe, any value set by ClickHouse), else, with `allow_cors: true`, it will override to either the value of `Origin` request if any or else `*`.
e2fc96d
to
818168b
Compare
Hey @mga-chka! Thanks for looking at this. Would you have an idea of why? EDIT: it seems that every header set after those lines are not returned in the tests: https://github.com/ContentSquare/chproxy/blob/master/proxy.go#L146-L150 |
sorry, I had quite busy days, I'll try to look at the pb before the end of the week. If it's too complex to get the tests works then we will merge the PR as is. |
FYI, your tests were missing a new behavior in the fake clickhouse to add the "Access-Control-Allow-Origin". |
I was not meticulous enough before writting my previous msg. I didn't fix one of your 3 tests, when I fixed it, it was not working anymore. Can you have a look at it? Moreover, the 2 passing tests works even without your change on proxy.go, which means they're not good enough. |
Hey! If the fake CH instance is returning I don't have much time to look at the tests implementation right now, feel free to change the PR as you see best! |
I have some work for the moment so can't spend much time on the OSS part. I'll ask other maintainers if they can look at it. If not, I'll merge it and I'll add a TODO on the tests. |
Description
Fixes #93.
The
Access-Control-Allow-Origin
was set before on the response before the proxy call, and ClickHouse was returning the response with its ownAccess-Control-Allow-Origin
(in my case, "*"). So, havingallow_cors: true
was eventually returning twoAccess-Control-Allow-Origin
, one from chproxy and one from ClickHouse.This commit just move the
"Access-Control-Allow-Origin
after the proxy call, overriding the value returned by ClickHouse. Ifallow_cors: false
, chproxy does not change the value (so it can be, I believe, any value set by ClickHouse), else, withallow_cors: true
, it will override to either the value ofOrigin
request if any or else*
.Pull request type
Please check the type of change your PR introduces:
Checklist
Does this introduce a breaking change?
Further comments
The only thing I'm not sure is if we want to pass the initial
Access-Control-Allow-Origin
that was set originally.But in my understanding of the feature, the goal is not to add this header to the proxied request to ClickHouse, but rather on the chproxy response.