Content-Type Not Permitted for CORS

[drewmnoel]

Description

Gitea has hardcoded what headers are permitted via CORS. This list does not include "Content-Type", which is needed in order to get browsers to POST JSON data to the Gitea backend.

gitea/routers/api/v1/api.go

Lines 614 to 622 in 5a6cba4

	m.Use(cors.Handler(cors.Options{
	// Scheme: setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option
	AllowedOrigins: setting.CORSConfig.AllowDomain,
	// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option
	AllowedMethods: setting.CORSConfig.Methods,
	AllowCredentials: setting.CORSConfig.AllowCredentials,
	AllowedHeaders: []string{"Authorization", "X-Gitea-OTP"},
	MaxAge: int(setting.CORSConfig.MaxAge.Seconds()),
	}))

Ideally this would be customizable via a configuration file, but at the least include "Content-Type".

JS Example

fetch(`http://172.23.66.96:3000/api/v1/repos/some_org/some_repo/issues`, {
  method: "POST",
  body: `{"title": "Test issue", "body": "Test body"}`,
  headers: {
    Authorization: "Bearer [...]",
    "Content-Type": "application/json"
  }
})

Preflight

OPTIONS /api/v1/repos/some_org/some_repo/issues HTTP/1.1
Host: 172.23.66.96:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,content-type
Origin: [...]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

The middleware rejects this preflight, since the content-type header is not hardcoded in the application. After adding "Debug: true" to the cors.Handler call (see top snippet), the rejection can be seen in the Gitea logs.

Gitea Output

2022/11/09 16:42:17 cmd/web.go:106:runWeb() [I] Starting Gitea on PID: 22617
2022/11/09 16:42:17 cmd/web.go:157:runWeb() [I] Global init
[...]
[cors] 2022/11/09 17:23:17 Handler: Preflight request
[cors] 2022/11/09 17:23:17 Preflight aborted: headers '[Authorization Content-Type]' not allowed
2022/11/09 17:23:17 [636c2855] router: completed OPTIONS /api/v1/repos/some_org/some_repo/issues for 172.23.64.1:63690, 200 OK in 0.1ms @ unknown-handler

Gitea Version

1.17.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/drewmnoel/e771b9f47d96846aeaea02263f44486a

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea build information:

• Gitea version 1.17.3 built with GNU Make 4.3, go1.19.3 : bindata, sqlite, sqlite_unlock_notify

I'm running on the command line with the following section added to the default app.ini:

[cors]
ENABLED = true
SCHEME = http
ALLOW_DOMAIN = *
METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
MAX_AGE = 10m
ALLOW_CREDENTIALS = true
X_FRAME_OPTIONS = SAMEORIGIN

Database

No response