allow_cors may break CORS

[nezed]

users[].allow_cors = true may lead to multiple Access-Control-Allow-Origin headers

Actual behaviour:

Responses with multiple headers is rejected by Chrome browser with following error:

The 'Access-Control-Allow-Origin' header contains multiple values 'http://ui.tabix.io, *', but only one is allowed.

Steps to reproduce:

0. add_http_cors_header = 1 is default behaviour for tabix.io and grafana-clickhouse plugin, also it may be set as default for some users.
1. In this case clickhouse-server responses includes Access-Control-Allow-Origin: * header.
2. Setting chproxy option users[].allow_cors = true leads to injecting second Access-Control-Allow-Origin: origin header.
3. Response that contains two CROS headers and is rejected by Chrome

   Access-Control-Allow-Origin: *                     # by clickhouse-server
   Access-Control-Allow-Origin: http://ui.tabix.io    # by chproxy
   

Expected behaviour

One of this

1. don't add Allow-Origin header is response already has one
2. • if users[].allow_cors = true then drop all Allow-Origin headers in source response if any and write single Allow-Origin header in same manner as chproxy does now
   • if users[].allow_cors = false then do nothing (user may expect that add_http_cors_header will take effect and experience troubles if chproxy changes this behaviour)

For me option 2 looks way better, at least because it respects real Origin header value from client

[hagen1778]

Thanks for so detailed report @nezed!

[bobelev]

any updates on this?

[seifchen]

@hagen1778 any updates on this?