Fix CORS: reflect request headers instead of wildcard #13

merged opened by

eriko.eurosky.social 1 week ago targeting main from eriko.eurosky.social/pds-gatekeeper: fix/cors-allow-headers

Summary

Firefox rejects credentialed cross-origin requests (e.g. from bsky.app to eurosky.social) when Access-Control-Allow-Headers is *, because per the Fetch spec the wildcard is not treated as a wildcard when credentials are involved
Affected endpoints: getSession, createSession, createAccount, describeServer, updateEmail, OAuth sign-in — all routes proxied through the gatekeeper
The PDS reference implementation uses the Express cors package with default config, which reflects the browser's Access-Control-Request-Headers back verbatim rather than sending * https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/index.ts#L161
Switch from .allow_headers(Any) to .allow_headers(AllowHeaders::mirror_request()) to match that behaviour

Labels

None yet.

Participants 2

AT URI

at://did:plc:autcqcg4hsvgdf3hwt4cvci3/sh.tangled.repo.pull/3mfzonbhq4z22

+2 -2

1 changed file

Diff round #0

expand all

unified split

src

main.rs

+2 -2

src/main.rs

··· 32 32 }; 33 33 use tower_http::{ 34 34 compression::CompressionLayer, 35 - cors::{Any, CorsLayer}, 35 + cors::{AllowHeaders, Any, CorsLayer}, 36 36 }; 37 37 use tracing::log; 38 38 use tracing_subscriber::{EnvFilter, fmt, prelude::*}; ··· 352 352 let cors = CorsLayer::new() 353 353 .allow_origin(Any) 354 354 .allow_methods([Method::GET, Method::OPTIONS, Method::POST]) 355 - .allow_headers(Any); 355 + .allow_headers(AllowHeaders::mirror_request()); 356 356 357 357 let mut app = Router::new() 358 358 .route("/", get(root_handler))

History

1 round 1 comment

eriko.eurosky.social submitted #0 10d

1 commit

expand

c0161b1f

Fix CORS: reflect request headers instead of wildcard

expand 1 comment

baileytownsend.dev 8d

LGTM! Thank you!

pull request successfully merged