Issue with setting CORS headers using CORS plugin

[novicejava1]

Hi Team,

I am trying to use the CORS plugin to set the HTTP headers for the backend flask based application. Here are the steps that i am following.

1. Start Flask based application

Here is my basic flask application listing on port 2121 and accepts POST method.

[admin@fedser flask]$ cat postjson.py 
from flask import Flask, request

app = Flask(__name__)

@app.route('/postjson', methods=['POST'])
def process_json():
    content_type = request.headers.get('Content-Type')
    if (content_type == 'application/json'):
        json = request.json
        return json
    else:
        return 'Content-Type not supported!'

[admin@fedser flask]$ flask --app postjson run --host=0.0.0.0 --port=2121 &
[1] 10396
[admin@fedser flask]$  * Serving Flask app 'postjson'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:2121
 * Running on http://192.168.29.117:2121

2. Create Route with CORS enabled

Here i am creating a route with CORS plugin to allow_origins and allow_methods attribute set as shown below.

[admin@fedser flask]$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/postjson",
    "plugins": {
        "cors": {
                "allow_origins": "http://fedser.stack.com:9080",
                "allow_methods": "POST"
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "192.168.29.117:2121": 1
        }
    }
}'
{"key":"\/apisix\/routes\/1","value":{"id":"1","priority":0,"plugins":{"cors":{"allow_methods":"POST","max_age":5,"allow_headers":"*","allow_origins":"http:\/\/fedser.stack.com:9080","expose_headers":"*","allow_credential":false}},"create_time":1680363773,"uri":"\/postjson","status":1,"update_time":1680363843,"upstream":{"type":"roundrobin","pass_host":"pass","hash_on":"vars","nodes":{"192.168.29.117:2121":1},"scheme":"http"}}}

3. Test CORS

Sample JSON data

[admin@fedser flask]$ cat postdata.json
{
"name": {
	"firstname": "Alice",
  	"middlename": "Wonder",
	"lastname": "land"
},
"age": 20,
"gender": "Male"
}

Expected Behaviour

As per the CORS attributes set, ideally the below POST request with "Origin" header set to a value other than the allowed origins should reject this request. But the actual behaviour is as shown below.

[admin@fedser flask]$ curl -X POST -H "Content-type: application/json" -H "Origin: http://stack.com:9080" 'http://fedser.stack.com:9080/postjson' -d @postdata.json -vv

Actual Behaviour

CORS Test with Origin set to http://stack.com:9080 allows to access the backend flask based application.

[admin@fedser flask]$ curl -X POST -H "Content-type: application/json" -H "Origin: http://stack.com:9080" 'http://fedser.stack.com:9080/postjson' -d @postdata.json -vv
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.29.117:9080...
* Connected to fedser.stack.com (192.168.29.117) port 9080 (#0)
> POST /postjson HTTP/1.1
> Host: fedser.stack.com:9080
> User-Agent: curl/7.85.0
> Accept: */*
> Content-type: application/json
> Origin: http://stack.com:9080
> Content-Length: 106
> 
172.20.0.4 - - [01/Apr/2023 22:06:07] "POST /postjson HTTP/1.1" 200 -
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 96
< Connection: keep-alive
< Date: Sat, 01 Apr 2023 16:36:07 GMT
< Server: APISIX/3.1.0
< 
{"age":20,"gender":"Male","name":{"firstname":"Alice","lastname":"land","middlename":"Wonder"}}
* Connection #0 to host fedser.stack.com left intact

Kindly let me know if my understanding is correct in this respect and let me know if this a bug which could be reported.

[troyqu]

i hit this same issue, seems nobody take attention on it.

[troyqu]

i resolve this problem in my case for detail #11218