https://www.ory.sh/ logo
Join SlackCommunities
Powered by
I may be running into a CORS bug? It doesn’t seem ...
# talk-kratos
p
I may be running into a CORS bug? It doesn’t seem like Kratos is responding with the CORS headers at all. Am I missing something? My config:
Copy code
serve:
  public:
    base_url: <https://auth.mydomain.com/>
    cors:
      enabled: true
      debug: true
      allowed_origins:
      - <https://mydomain.com>
      allowed_methods:
      - POST
      - GET
      - PUT
      - PATCH
      - DELETE
      allowed_headers:
      - Authorization
      - Cookie
      - Content-Type
      exposed_headers:
      - Content-Type
      - Set-Cookie
curl -v -H "Origin: <https://mydomain.com>" -H "Accept: application/json" <http://kratos-public/self-service/login/browser>
Copy code
< HTTP/1.1 200 OK
< Cache-Control: private, no-cache, no-store, must-revalidate
< Content-Type: application/json; charset=utf-8
< Set-Cookie: csrf_token_5c51a995dd623ddb0e303f9eaf4401a59ccc98b62b61aebc2deae2ca0c291484=gFj0H6qF1crfDdy2yedTkVggypxI3Lx9tsFzSqyzprg=; Path=/; Domain=<http://mydomain.com|mydomain.com>; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
< Vary: Cookie
< Date: Thu, 01 Dec 2022 22:06:17 GMT
< Content-Length: 1983
kratos logs:
Copy code
time=2022-12-01T22:07:07Z level=info msg=started handling request http_request=map[headers:map[accept:application/json origin:<https://mydomain.com> user-agent:curl/7.86.0] host:kratos-public method:GET path:/self-service/login/browser query:<nil> remote:252.64.130.136:55654 scheme:http]
[cors] 2022/12/01 22:07:07 ServeHTTP: Actual request

[cors] 2022/12/01 22:07:07   Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[<https://mydoamin.com>] Access-Control-Expose-Headers:[Content-Type, Set-Cookie] Cache-Control:[private, no-cache, no-store, must-revalidate] Content-Type:[application/json; charset=utf-8] Set-Cookie:[csrf_token_5c51a995dd623ddb0e303f9eaf4401a59ccc98b62b61aebc2deae2ca0c291484=WZg0C6YgiwgCbm/xCYlQzqFN1b9iOdmabk41fSA72Fs=; Path=/; Domain=<http://mydomain.com|mydomain.com>; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax] Vary:[Cookie Origin]]

time=2022-12-01T22:07:07Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json origin:<https://mydomain.com> user-agent:curl/7.86.0] host:kratos-public method:GET path:/self-service/login/browser query:<nil> remote:252.64.130.136:55654 scheme:http] http_response=map[headers:map[access-control-allow-credentials:true access-control-allow-origin:<https://mydoamin.com> access-control-expose-headers:Content-Type, Set-Cookie cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 set-cookie:[csrf_token_5c51a995dd623ddb0e303f9eaf4401a59ccc98b62b61aebc2deae2ca0c291484=WZg0C6YgiwgCbm/xCYlQzqFN1b9iOdmabk41fSA72Fs=; Path=/; Domain=<http://mydomain.com|mydomain.com>; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax] vary:Cookie] size:1983 status:200 text_status:OK took:10.017559ms]
The logs are saying that there’s supposed to be headers added, but there’s none in the response. When a similar XMLHttpRequest is made, I get a CORS error--
Copy code
Access to XMLHttpRequest at '<https://auth.mydomain.com/self-service/login/browser>' from origin '<https://mydomain.com>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
version 
v0.11.0-alpha.0.pre.2
Those headers are definitely not being set by kratos. Setting them manually on the way out via traefik is a workaround.
4 Views
Open in Slack
PreviousNext
Powered by