fix(gateway): include CORS on subdomain redirects

Depends on ipfs/boxo#395 Closes #9983
ipfs · Jun 26, 2023 · 0dbb50d · 0dbb50d
1 parent 67cd516
commit 0dbb50d
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 24 deletions.
diff --git a/config/init.go b/config/init.go
@@ -67,12 +67,8 @@ func InitWithIdentity(identity Identity) (*Config, error) {
 			RootRedirect: "",
 			NoFetch:      false,
 			PathPrefixes: []string{},
-			HTTPHeaders: map[string][]string{
-				"Access-Control-Allow-Origin":  {"*"},
-				"Access-Control-Allow-Methods": {"GET"},
-				"Access-Control-Allow-Headers": {"X-Requested-With", "Range", "User-Agent"},
-			},
-			APICommands: []string{},
+			HTTPHeaders:  map[string][]string{},
+			APICommands:  []string{},
 		},
 		Reprovider: Reprovider{
 			Interval: nil,

diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/ipfs/boxo v0.10.2-0.20230620120822-417c5f7d61ff
+	github.com/ipfs/boxo v0.10.2-0.20230626222127-473506271233
 	github.com/ipfs/go-block-format v0.1.2
 	github.com/ipfs/go-cid v0.4.1
 	github.com/ipfs/go-cidutil v0.1.0

diff --git a/go.sum b/go.sum
@@ -355,8 +355,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/ipfs/bbloom v0.0.4 h1:Gi+8EGJ2y5qiD5FbsbpX/TMNcJw8gSqr7eyjHa4Fhvs=
 github.com/ipfs/bbloom v0.0.4/go.mod h1:cS9YprKXpoZ9lT0n/Mw/a6/aFV6DTjTLYHeA+gyqMG0=
-github.com/ipfs/boxo v0.10.2-0.20230620120822-417c5f7d61ff h1:QnYD2h1e55nX9lSl5k8YVij1VIOICR7lPJlhbKOQjNM=
-github.com/ipfs/boxo v0.10.2-0.20230620120822-417c5f7d61ff/go.mod h1:OGMmq97krQBiKx8LRGyf5DgWHeu+PDdIHNN2YnQlWjs=
+github.com/ipfs/boxo v0.10.2-0.20230626222127-473506271233 h1:eWyELpyY+KdlAuwlpGfTRb1YEIO02orbHkYtZkGwqrI=
+github.com/ipfs/boxo v0.10.2-0.20230626222127-473506271233/go.mod h1:OGMmq97krQBiKx8LRGyf5DgWHeu+PDdIHNN2YnQlWjs=
 github.com/ipfs/go-bitfield v1.1.0 h1:fh7FIo8bSwaJEh6DdTWbCeZ1eqOaOkKFI74SCnsWbGA=
 github.com/ipfs/go-bitfield v1.1.0/go.mod h1:paqf1wjq/D2BBmzfTVFlJQ9IlFOZpg422HL0HqsGWHU=
 github.com/ipfs/go-block-format v0.0.2/go.mod h1:AWR46JfpcObNfg3ok2JHDUfdiHRgWhJgCQF+KIgOPJY=

diff --git a/test/sharness/t0112-gateway-cors.sh b/test/sharness/t0112-gateway-cors.sh
@@ -7,21 +7,9 @@ test_description="Test CORS behavior on Gateway port"
 test_init_ipfs
 
 # Default config
-test_expect_success "Default Gateway.HTTPHeaders config match expected values" '
+test_expect_success "Default Gateway.HTTPHeaders is empty (implicit CORS values from boxo/gateway)" '
 cat <<EOF > expected
-{
-  "Access-Control-Allow-Headers": [
-    "X-Requested-With",
-    "Range",
-    "User-Agent"
-  ],
-  "Access-Control-Allow-Methods": [
-    "GET"
-  ],
-  "Access-Control-Allow-Origin": [
-    "*"
-  ]
-}
+{}
 EOF
     ipfs config --json Gateway.HTTPHeaders > actual &&
     test_cmp expected actual
@@ -43,13 +31,19 @@ test_expect_success "GET to Gateway succeeds" '
 test_expect_success "GET response for Gateway resource looks good" '
   test_should_contain "< Access-Control-Allow-Origin: \*" curl_output &&
   test_should_contain "< Access-Control-Allow-Methods: GET" curl_output &&
+  test_should_contain "< Access-Control-Allow-Methods: HEAD" curl_output &&
+  test_should_contain "< Access-Control-Allow-Methods: OPTIONS" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: Content-Type" curl_output &&
   test_should_contain "< Access-Control-Allow-Headers: Range" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: User-Agent" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: X-Requested-With" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: Content-Range" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: Content-Length" curl_output &&
+  test_should_contain "< Access-Control-Expose-Headers: X-Chunked-Output" curl_output &&
+  test_should_contain "< Access-Control-Expose-Headers: X-Stream-Output" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output
 '
-
 # HTTP OPTIONS Request
 test_expect_success "OPTIONS to Gateway succeeds" '
   curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
@@ -60,13 +54,34 @@ test_expect_success "OPTIONS to Gateway succeeds" '
 test_expect_success "OPTIONS response for Gateway resource looks good" '
   test_should_contain "< Access-Control-Allow-Origin: \*" curl_output &&
   test_should_contain "< Access-Control-Allow-Methods: GET" curl_output &&
+  test_should_contain "< Access-Control-Allow-Methods: HEAD" curl_output &&
+  test_should_contain "< Access-Control-Allow-Methods: OPTIONS" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: Content-Type" curl_output &&
   test_should_contain "< Access-Control-Allow-Headers: Range" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: User-Agent" curl_output &&
+  test_should_contain "< Access-Control-Allow-Headers: X-Requested-With" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: Content-Range" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: Content-Length" curl_output &&
+  test_should_contain "< Access-Control-Expose-Headers: X-Chunked-Output" curl_output &&
+  test_should_contain "< Access-Control-Expose-Headers: X-Stream-Output" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output &&
   test_should_contain "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output
 '
 
+# HTTP OPTIONS Request on path → subdomain HTTP 301 redirect
+# (regression test for https://github.com/ipfs/kubo/issues/9983#issuecomment-1599673976)
+test_expect_success "OPTIONS to Gateway succeeds" '
+  curl -svX OPTIONS -H "Origin: https://example.com" "http://localhost:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
+  cat curl_output
+'
+# OPTION Response from Gateway should contain CORS headers
+test_expect_success "OPTIONS response for subdomain redirect looks good" '
+  test_should_contain "HTTP/1.1 301 Moved Permanently" curl_output &&
+  test_should_contain "Location" curl_output &&
+  test_should_contain "< Access-Control-Allow-Origin: \*" curl_output &&
+  test_should_contain "< Access-Control-Allow-Methods: GET" curl_output
+'
+
 test_kill_ipfs_daemon
 
 # Test CORS safelisting of custom headers